+

Search Tips   |   Advanced Search

Configure multiple LDAP servers for user registry failover

WebSphere Application Server security can be configured to attempt failovers between multiple LDAP hosts.

The multiple LDAP servers involved in the failover can be replicas that are replicated from the same master LDAP server, or they can be any LDAP host with the same schema. That is any LDAP host containing data that is imported from the same LDAP data interchange format (LDIF) file.

When WAS attempts failovers between multiple LDAP hosts, system properties are exchanged. WAS v6.1.0 manages the SSL configuration and these system properties. We cannot expect to set system properties ourself and expect the failover to succeed.


Tasks

  1. Start the dmgr process.

    1. Start the Command Prompt application.

    2. Change directories to profile_root\bin.

    3. (iSeries) Change directories to profile_root/bin.

    4. Enter startManager.

  2. Start the wsadmin Command Prompt application.

    1. Start the Command Prompt application.

    2. Change directories to profile_root\bin.

    3. (iSeries) Change directories to profile_root/bin.

    4. Enter the following command:
      wsadmin -user username -password password
      

  3. Configure a second LDAP server for failover.

    1. Enter the following command to set the failover LDAP server hostname:
      set ldapServer [ldap server hostname]
      

    2. Enter the following command to set the LDAP server port number:
      set ldapPort [ldap server port]
      

    3. Enter the following command to set the WebSphere LDAP failover variable:
      set Attrs2 [list [list hosts [list [list [list host $ldapServer] [list port $ldapPort]]]]]
      

    4. Modify the LDAP configuration to add the failover LDAP server by entering the following command:
      set result [$AdminConfig list LDAPUserRegistry]
      

    5. Find the LDAP server configID by entering the following command:
      $AdminConfig modify $result $Attrs2
      

    6. Enter the following command to save the configuration change:
      $AdminConfig save
      

    7. Enter exit to quit the Command Prompt application. The following is an example of the Command Prompt application output:
      wsadmin>set ldapServer [list xxxx.xxxx.xxx.com]
      xxxx.xxxx.xxx.com
      wsadmin>set ldapPort [list NNN]
      NNN
      wsadmin>set Attrs2 [list [list hosts [list [list [list host $ldapServer] [list port $ldapPort]]]]]
      {hosts {{{host xxxx.xxxx.xxx.com} {port NNN}}}}
      wsadmin> set result [$AdminConfig list LDAPUserRegistry]
      (cells/Father2Cell01|security.xml#LDAPUserRegistry_1)
      wsadmin>$AdminConfig modify $result $Attrs2
      
      wsadmin>$AdminConfig save
      

  4. Review the configuration change by opening the security.xml file with a text editor and review the new entry.

  5. Stop the deployment manager.

    1. Start the Command Prompt application.

    2. Change directories to profile_root\bin.

    3. (iSeries) Change directories to profile_root/bin.

    4. To stop the deployment manager, enter:
      stopManager -user username -password password
      

  • Configure LDAP user registries
  • Testing an LDAP server for user registry failover
  • Deleting LDAP endpoints using wsadmin