7021272: Howto force Identity Server use local LDAP userstore rather than remote one in Clustered environment spanning GEO locations

This document (7021272) is provided subject to the disclaimer at the end of this document.

Environment

Access Manager setup to serve users worldwide with the following characteristics:

·

There are two data centers

·

Each data center has two identity servers all in the same cluster for total of 4 IDPs

·

Each data center has two eDirectory servers that are replicas of each other

·

One User Store defined in NAM with all 4 eDirectory servers listed

Administrators want users accessing the IDP in one data center talk to the local eDirectory servers in the same data center so they are not traversing the WAN link, but there’s no way to control which LDAP server one talks to.

Situation

Upgrade to NAM 4.4 and define the LDAP replica servers to use DNS names rather than IP addresses (new feature in 4.4). With this in place, one can simply modify the local hosts file on IDP so that the DNS name resolves to the local LDAP server, or local load balancer VIP fronting the LDAP servers.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply