When LDAP starts, the following error is received:
LDP0350E Initial connection to node:390 failed
What could cause this?
LDAP does not need DSI up and running if it is running on single LPAR. It is recommend to comment out the siParms line in the slapd.conf file unless you are trying to communicate to a remote LPAR.
CA LDAP Server uses z/OS callable services to interact with the External Security Manager (ESM). Callable services are not route-able, so LDAP can only talk directly to a local ESM.
When trying to access the ESM database, setup of LDAP will be determined by the ESM setup.
For example, if a security database is shared between 3 LPARs in a Sysplex, then LDAP only needs to be setup on 1 LPAR
If the security database is not shared between the 3 LPARs in a Plex, then there are 2 setup options.
1) Install/run LDAP on each LPAR and the application connects and uses the appropriate LDAP interface
2) Setup LDAP on 1 LPAR and configure it to access a 'remote' security file using the provided CA DSI Server. This server would be setup on remote LPARs only. It is not setup/used for local security database access.
Pro - 1 LDAP Server for the app to connect to for all data
Con - 1 LDAP Server means single point of failure
Single point of failure can be addressed with 2 LDAP Servers on 2 different LPARs providing a primary/secondary server and using load balancing hardware/software send traffic as appropriate. This needs 2 LDAP Servers and a DSI Server on each LPAR setup
Pro - 1 IP/port for the app to connect to for all data as load balancing sends to active server, no single point of failure
Con - More complex setup/config for sys prog
No matter the option selected, 1 or 2, the TCPIP traffic from LDAP to DSI within a plex is performed in cross memory mode by the IBM TCP/IP stack, so it never is on the network. Not only does this perform better, it makes the SSL overhead (administration and encrypt/decrypt of data packets) just that, overhead.