Hitachi

uCosminexus Application Server Security Management Guide

5.7.2 Connection failover by multiplexing the LDAP directory server

Replicating and multiplexing the LDAP directory server enables the standard login modules provided in integrated user management to automatically switch from the failed LDAP directory server to the different pre-specified LDAP directory server, in order to reference the user and single sign-on information.

In the following example configuration, J2EE server 1 usually uses the LDAP directory server, slave1, to perform the authentication process. When slave1 goes down, J2EE server 1 automatically switches to slave2. (It switches to slave3 if slave2 goes down.)

Figure 5‒21: Example configuration of LDAP directory server multiplexing

[Figure]

The J2EE server tries to access to the LDAP directory servers in the specified order. If all access attempts fail, authentication fails.

The procedures used to determine if the LDAP directory server goes down are as follows:

  1. The javax.naming.CommunicationException exception occurs.

    This may be because the destination host denied access. For details, see the JDK documentation.

  2. Execute the retry.

    The retry is repeated a preset number of times.

  3. When the retry fails, the LDAP directory server is deemed to go down.

If all the LDAP directory servers go down, authentication fails and the LoginException exception occurs in the caller of the login method of the LoginContext class.

Store the LDAP directory server access settings in ua.conf (the integrated user management configuration file) and specify at least one LDAP setting for each JAAS application in jaas.conf (the JAAS configuration file). For details about ua.conf and the configuration file contents, see 14.2.2 ua.conf (integrated user management configuration file).

The connection failover also supports password change by using the PasswordUtil class. Password changes can be made to the master servers in a multi-master configuration as shown in the following figure.

Figure 5‒22: Example configuration of LDAP directory server multiplexing (multi-master configuration)

[Figure]

To use the connection failover, ensure that all LDAP directory servers have the same entry tree structure and entry contents.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.