LDAP Stores :: Failover

Document ID : KB000049848
Last Modified Date : 14/02/2018
Show Technical Document Details


How does the Failover functionality on the Policy Server for the LDAP Stores?



The Connection Manager maintains the status of the directory instances using a dedicated "Ping Server threads". The Ping Server thread periodically checks the health status of each directory every 30 seconds. It validates the connection by doing an ldap search as :

Search Filter is objectclass=*

With each search, the Ping Server thread waits a default maximum of ten (10) seconds.

You can configure this in the User Directory Definition. In the user directory Definition you have Max Time. By default the value of Max Time is 30 and this defines how long Policy Serer should wait for a response from the directory server.

If the Ping Server search fails or times out, the Connection Manager connection, the other Dir connection and User connection are
all considered failed. The directory instance is then considered bad and the connections are moved out from the list of available connections and Policy Server will failover to the next Policy Store.

If a Thread Pool thread detects a failure on the Dir or User connection it is using, the Dir and User connections are made unavailable. The Policy Server process then immediately runs the Ping Server on the given bank or directory as just described above. If the Ping Server finds the instance responsive the failed Dir and User connections are replaced. If the Ping Server confirms the directory instance failure or unreachable, that directory instance and any other failed instance in the bank or directory is marked bad.


Ping thread keeps checking the health of the LDAP Servers every 30 Seconds and when it detects the LDAP server is up then Policy Server will failback to the primary LDAP server.

Note that there is no Load Balance capability for LDAP Policy Stores. But you can configure LDAP User Stores for Load Balance.

For LDAP Policy Stores, if you have two entries in the Policy Store tab the Policy Server will use only one. If it fails then the other entry is used and Policy Server fails back as soon as the first one is back up.

For each entry there will be one bank and each bank will have a user, dir and ping search connection.

The dir connection will be used to update the Policy Store. This connection is for both LDAP search and LDAP update.