In the following procedures, you configure the load balancer in front of the two Directory Servers. Then you configure the load balancer for simple persistence. When the load balancer is configured for simple persistence, all Access Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.
When a request requires information to be written to Directory Server 1, that information is also replicated in Directory Server 2. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 2, the request may fail.
For example, when simple persistence is not configured properly, creating a realm from the Access Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 1, and a second request to create the subentry is routed to Directory Server 2. But if the parent entry request is not yet fully replicated to Directory Server 2, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 1. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 1 and Directory Server 2.
To obtain these IP addresses, on each Directory Server host, run the following command:
Create a Pool.
A pool contains all the backend server instances.
Go to URL for the Big IP load balancer login page.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
Add the IP address of both Directory Server hosts. In this case, add the IP address and port number for DirectoryServer-1:1389 and for DirectoryServer-2:1389.
Click the Done button.
Add a Virtual Server.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
xxx.xx.69.14 (for LoadBalancer-1.example.com )
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the Pool (DirectoryServer-POOL) that you have just created.
Click the Done button.
Monitors are required for the load balancer to detect the backend server failures.
In the left frame, click Monitors.
Click the Basic Associations tab.
Add an LDAP monitor for the Directory Server 1 node.
Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer–1:1389. Select the Add checkbox.
Add an LDAP monitor for the Directory Server 2 node.
In the Node column, locate the IP address and port number for DirectoryServer–2:1389 . Select the Add checkbox.
At the top of the Node column, in the drop-down list, choose ldap-tcp .
Configure the load balancer for simple persistence.
Simple persistence returns a client to the same node to which it connected previously. Simple persistence tracks connections based only on the client IP address.
Verify the Directory Server load-balancer configuration.
Log in as a root user to the host of each Directory Server.
On each Directory Server host, use the tail command to monitor the Directory Server access log.
# cd /var/opt/mps/serverroot/slapd-am-config/logs
# tail -f access
You should see connections to the load balancer IP address opening and closing. Example:
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from xxx.xx.69.18 to xxx.xx.72.33
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closing — B1
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closed.
Execute the following LDAP search multiple times against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)"
The ldapsearch operation should return entries. Make sure the LDAP search operations display in the same Directory Server access log.
Stop Directory Server 1, and again perform the following LDAP search against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/slapd-am-config # ./stop # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)"
The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
You may encounter the following error message:
# ./ldapsearch —h LoadBalancer-1.example.com —p 1389 —b “o=example.com“ —D “cn=Directory Manager” —w d1rm4n4ger
ldap_simple_bind: Cant' connect to the LDAP server — Connection refused
The load balancer may not fully detect that Directory Server 1 is stopped. Or you may have started the search too soon based on the polling interval setting. For example, if the polling interval is set to 10 seconds, you can wait ten seconds to start the search again. Or you can reset the timeout properties to a lower value.
Click the Monitors tab, and click the ldap-tcp monitor name.
In the Interval field, set the value to 5.
This tells the load balancer to poll the server every 5 seconds.
In the Timeout field, set the value to 16.
The default is 16 seconds. You can change this number to any value. In this deployment example, the BigIP documentation recommends the value should be at least three times the interval number of seconds plus one second.
Repeat the LDAP search.
Restart the stopped Directory Server 1, and then stop Directory Server 2.
Confirm that the requests are forwarded to the running Directory Server 2.
Perform the following LDAP search against the Directory Server load balancer.
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=Directory Manager" -w d1rm4n4ger "(objectclass=*)"
The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.