4.5 Configuring the Directory Server Load Balancers

In the following procedures, you configure one load balancer in front the Directory Server configuration instances, and one load balancer in front of the Directory Server user data instances.

Use the following as your checklist for configuring the Directory Server load balancers:

1. Configure Load Balancer 7 for the Directory Server Configuration instances.

2. Configure Load Balancer 8 for the Directory Server User Data instances.

4.5.1 Simple Persistence

In this deployment, both Directory Server load balancers are configured for simple persistence. When the load balancer is configured for simple persistence, all Federation Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.

When a request requires information to be written to Directory Server 3SP, that information is also replicated in Directory Server 4SP. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 4SP, the request may fail.

For example, when simple persistence is not configured properly, creating a realm from the Federation Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 3SP, and a second request to create the subentry is routed to Directory Server 4SP. But if the parent entry request is not yet fully replicated to Directory Server 4SP, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 3SP. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.

To Configure Load Balancer 7 for the Directory Server Configuration Instances

Before You Begin

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

  You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

  ---

  Note –

  The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

  ---

• You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

  To obtain these IP addresses, on each Directory Server host, run the following command:

  ifconfig —a

1. Create a Pool.

   A pool contains all the backend server instances.

   1. Go to URL for the Big IP load balancer login page.

   2. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   3. In the left pane, click Pools.

   4. On the Pools tab, click the Add button.

   5. In the Add Pool dialog, provide the following information:

      Pool Name

      Example: federation_ds_pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Directory Server hosts. In this example:

      192.18.69.135( for DirectoryServer-3SP:1389)

      192.18.72.136 (for DirectoryServer-4SP:1389)

   6. Click the Done button.

2. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.16 (for LoadBalancer-7.siroe.com )

      Service

      389

      Pool

      federation_ds_pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the Pool (federation_ds_pool) that you have just created.

   6. Click the Done button.

3. Add Monitors

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 3SP node.

      Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1389. Select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 4SP node.

      In the Node column, locate the IP address and port number for DirectoryServer-4SP:1389 . Select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose tcp .

   6. Click Apply.

4. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_ds_pool.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

   6. Click Apply.

5. Verify the Directory Server load balancer configuration.

   1. Log in as a root user to the host of each Directory Server.

   2. On each Directory Server host, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/serverroot/slapd-DirectorySerer-3SP/logs

      # tail -f access

      You should see connections to the load balancer IP address opening and closing. Example:

      conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
      192.18.69.18 to 192.18.72.33

      conn=54 op=-1 msgId=-1 — closing — B1

      conn=54 op=-1 msgId=-1 — closed.

   3. Execute the following LDAP search against the Directory Server load balancer:

      # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.

   4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:

      # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.

   5. If you encounter the following error message:

      # ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ —D “cn=Directory Manager” —w 11111111 ldap_simple_bind: Cant' connect to the LDAP server — Connection refused

      You can reset the timeout properties to lower values:

      • In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.

      • In the Interval field, set the value to 5.

      • In the Timeout field, set the value to 16.

      • Click Apply.

      Repeat the LDAP search.

   6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.

      Confirm that the requests are forwarded to the running Directory Server 4SP.

   7. Perform the following LDAP search against the Directory Server load balancer.

      # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.

To Configure Load Balancer 8 for the Directory Server User Data Instances

Before You Begin

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

  You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

  ---

  Note –

  The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

  ---

• You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

  To obtain these IP addresses, on each Directory Server host, run the following command:

  ifconfig —a

1. Create a Pool.

   A pool contains all the backend server instances.

   1. Go to URL for the Big IP load balancer login page.

   2. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   3. In the left pane, click Pools.

   4. On the Pools tab, click the Add button.

   5. In the Add Pool dialog, provide the following information:

      Pool Name

      Example: federation_users_pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Directory Server hosts. In this example: .

      192.18.69.135(for DirectoryServer-3SP:1489)

      192.18.72.136 (for DirectoryServer-4SP:1489)

   6. Click the Done button.

2. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.16 (for LoadBalancer-8.siroe.com )

      Service

      1389

      Pool

      federation_users_pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the Pool (federation_users_pool) that you have just created.

   6. Click the Done button.

3. Add Monitors

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 3SP node.

      Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1489. Select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 4SP node.

      In the Node column, locate the IP address and port number for DirectoryServer-4SP:1489 . Select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose ldap-tcp .

   6. Click Apply.

4. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_users_pool.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

   6. Click Apply.

5. Verify the Directory Server load-balancer configuration.

   1. Log in as a root user to the host of each Directory Server.

   2. On each Directory Server host, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/serverroot/slapd-fm-users/logs

      # tail -f access

      You should see connections to the load balancer IP address opening and closing. Example:

      conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
      192.18.69.18 to 192.18.72.33

      conn=54 op=-1 msgId=-1 — closing — B1

      conn=54 op=-1 msgId=-1 — closed.

   3. Execute the following LDAP search against the Directory Server load balancer:

      # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.

   4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:

      # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.

   5. If you encounter the following error message:

      # ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ 
      —D “cn=Directory Manager” —w 11111111
      ldap_simple_bind: Cant' connect to the LDAP 
      server — Connection refused

      You can reset the timeout properties to lower values:

      • In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.

      • In the Interval field, set the value to 5.

      • In the Timeout field, set the value to 16.

      • Click Apply.

      Repeat the LDAP search.

   6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.

      Confirm that the requests are forwarded to the running Directory Server 4SP.

   7. Perform the following LDAP search against the Directory Server load balancer.

      # ./ldapsearch -h LoadBalancer-8.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.