LDAP high availability

 

A directory is often described as a database, but it is a specialized database that has characteristics that set it apart from general-purpose relational databases. One special characteristic of directories is that they are accessed (read or searched) much more often than they are updated (written). Lightweight Directory Access Protocol (LDAP) is a fast-growing technology for accessing common directory information. LDAP has been embraced and implemented in most network-oriented middleware. Building LDAP-enabled networks and applications is a common practice in enterprise applications. WebSphere is LDAP-enabled. When the LDAP server fails, WebSphere cannot access directory data, such as security data, and hence fails to service client requests. Therefore, building HA LDAP is a part of the highly available WebSphere system, as shown in Figure 13-4.

In a way similar to building an HA database for WebSphere, you can build an HA LDAP service with clustering software such as HACMP, MC/ServiceGuard, or Microsoft Cluster Service, as shown in Figure 13-4. Two nodes are interconnected with public networks and private networks. Private networks are dedicated to the heartbeat message. A shared disk that is connected to both nodes is used to store common directory data. Clustering software and LDAP software are installed in each node. A resource group is created, and can be failed over from one node to the other under the control of the clustering software. Instead of individual physical host IP addresses, the cluster IP address is used to access the LDAP service.

Figure 13-4 Clustered LDAP with shared disks

The cluster IP address is moved to the healthy backup node under the control of the clustering software when the primary node fails and the cluster detects the failure through the heartbeat mechanism. The LDAP client (WebSphere) still uses the same IP address (the cluster IP address) to access the LDAP service, as shown in Figure 13-5. You can configure the service to fall back automatically to the primary node once the primary node is up again, or you can do it manually.

Figure 13-5 Clustered LDAP with shared disks after failover

The multihost shared disk is used in the above configuration for storing LDAP data. In addition, LDAP provides a master and replica architecture that makes it possible for you to configure HA LDAP without shared disks. Install clustering software on both nodes, and configure LDAP to use local data. The primary node is configured as the LDAP master, and the backup node is configured as the LDAP replica, as shown in Figure 13-6. Any LDAP change requests that go to the replica server will be referred to the master server, since the replica server cannot change data. The master server sends all changes to the replica server to synchronize its data.

Figure 13-6 Clustered master-replica LDAP without shared disks

When the primary server (master) is down due to some network, hardware, or software reason, the LDAP service will be moved to the backup server under the control of clustering software; the replica server is temporarily promoted to the master server and continues LDAP service, as shown in Figure 13-7.

When the primary node is up again, you can move the LDAP service back to the primary node. You should not configure automatic fallback, because by doing so, you will lose all updates. You need to manually export the latest data from the backup server and import it to the primary server before you start up the primary LDAP server. It takes time to synchronize the data in the master server in this share-nothing configuration. In the shared disks LDAP configuration, since you use the same data in the shared disks, you do not need to synchronize the data between two servers. However, it is easier to configure the cluster without shared disks.

Figure 13-7 Clustered master-replica LDAP without shared disks after failover

In addition to HA LDAP with clustering software, you can build a low-cost, easy-to-configure HA LDAP with a network sprayer such as the WebSphere Edge Components' Load Balancer, or a DNS server that has a load balancing function (DNS round robin), as shown in Figure 13-8.

Figure 13-8 LDAP and Load Balancer

The Load Balancer distributes client requests to both servers. When a server fails, the request will be directed to the other server, as shown in Figure 13-9.

Figure 13-9 LDAP and Load Balancer after failover

For high-end enterprise applications, combined clustering software and a network sprayer can improve LDAP availability and scalability by reducing downtime and providing more servers, as shown in Figure 13-10. During the clustering transition downtime, you can still access LDAP servers (read only) with this configuration. You can also partition your directory structure to enhance scalability, and use approaches discussed here to enhance availability.

Figure 13-10 Combined LB and clustered LDAP

  Prev | Home | Next

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.