Security failover among multiple LDAP servers

WAS security can be configured to attempt failovers between multiple LDAP hosts.

If the current active LDAP server is unavailable, WAS security attempts a failover to the first available LDAP host in the specified host list. The multiple LDAP servers can be replicas of the same master LDAP server, or they can be any LDAP host with the same schema, which contain data that is imported from the same LDAP Data Interchange Format (LDIF) file.

Whenever a failover occurs, WAS security always uses the first available LDAP server in the specified host list. For example, if there are four LDAP servers configured in the order of L1, L2, L3, and L4, L1 is treated as the primary LDAP server. The preference of connection is from L1 to L4. If, for example, WAS security is currently connected to L4, and failover or reconnection is necessary, WAS security first attempts to connect to L1, L2, and then L3 in that order until the connection is successful.

The current LDAP host name is logged in message CWSCJ0419I in the WAS log file, SystemOut.log. To reconnect to the primary LDAP host, run the WAS MBean method, resetLDAPBindInfo, with null,null as the input.

To configure LDAP failover among multiple LDAP hosts, use wsadmin or ConfigService to include the backup LDAP host, which does not have a number limitation. The LDAP host that is displayed in the admin console is the primary LDAP host, and is the first item listed in the LDAP host list in security.xml.

The WAS security realm name defaults to the primary LDAP host name that is displayed in the admin console. It includes a trailing colon and a port number (if one exists). However, the custom property,, can be added to override the default security realm name. Use the logicRealm name to configure each cell to have its own LDAP host for interoperability and backward compatibility, and to provide flexibility for adding or removing the LDAP host dynamically. If migrating from a previous installation, the new logicRealm name does not take effect until administrative security is enabled again. To be compatible with a previous release that does not support logic realm, the logicRealm name has to be the same as that used by the previous installation (the LDAP host name, including a trailing colon and port number).

The following Jacl example shows how to use wsadmin to add a backup LDAP host for failover:

proc LDAPAdd {args} {

  global AdminConfig AdminControl ldapServer ldapPort 
  set ldapServer [lindex $args 0]
  set ldapPort [lindex $args 1]
  global ldapUserRegistryId 

  if {[catch {$AdminConfig list LDAPUserRegistry} result]} {
    puts stdout "\$AdminConfig list LDAPUserRegistry caught an exception $result\n"
  } else {
    if {$result != {}} {
      set ldapUserRegistryId [lindex $result 0]
    } else {
        set secMbean [$AdminControl queryNames type=SecurityAdmin,*]
        set Attrs2 [list [list hosts [list [list [list host $ldapServer] 
                   [list port $ldapPort]]]]]
        $AdminConfig modify $ldapUserRegistryId $Attrs2
        $AdminConfig save 

The following Jython example shows how to use wsadmin to add a backup LDAP host for failover:

# Add ldap hostname and port
#     wsadmin -f arg1 arg2
#  The script expects some parameters:
#      arg1 - LDAP Server hostname
#      arg2 - LDAP Server portnumber
import java

# get the line separator and use to do the parsing 
# since the line separator on different platform are different 
lineSeparator = java.lang.System.getProperty('line.separator')

# add LDAP host
def LDAPAdd (ldapServer, ldapPort):
    global AdminConfig, lineSeparator, ldapUserRegistryId
        ldapObject = AdminConfig.list("LDAPUserRegistry")
        if len(ldapObject) == 0:
            print "LDAPUserRegistry ConfigId was not found\n"

        ldapUserRegistryId = ldapObject.split(lineSeparator)[0]
        print "Got LDAPUserRegistry ConfigId is " + ldapUserRegistryId + "\n"
        print "AdminConfig.list('LDAPUserRegistry') caught an exception\n"

        secMbeans = AdminControl.queryNames('WebSphere:type=SecurityAdmin,*') 
        if len(secMbeans) == 0:
            print "Security Mbean was not found\n"

        secMbean = secMbeans.split(lineSeparator)[0]
        print "Got Security Mbean is " + secMbean + "\n"
        print "AdminControl.queryNames('WebSphere:type=SecurityAdmin,*') caught an exception\n"

    attrs2 = [["hosts", [[["host", ldapServer], ["port", ldapPort]]]]]
        AdminConfig.modify(ldapUserRegistryId, attrs2)
            print "Done setting up attributes values for LDAP User Registry"
            print "Updated was saved successfully\n"
            print " caught an exception\n"
        print "AdminConfig.modify(" + ldapUserRegistryId + ", " + attrs2 + ") caught an exception\n"

# Main entry point
if len(sys.argv) < 2 or len(sys.argv) > 3:
        print("LDAPAdd: this script requires 2 parameters: LDAP server hostname and LDAP server port number\n")
        print("e.g.: LDAPAdd ldaphost 389\n")
        sys.exit(1) else:
        ldapServer = sys.argv[0]
        ldapPort = sys.argv[1]
        LDAPAdd(ldapServer, ldapPort)


Related concepts

Standalone LDAP registries


Related tasks

Updating LDAP binding information