Adaptive Server provides uninterrupted support to Adaptive Server clients that are authenticated by an LDAP server. You can specify a secondary LDAP lookup server to fail over from a primary LDAP server in the event of the LDAP server failure or planned downtime.
The health of the URL set is monitored through the following states:
INITIAL – indicates that LDAP user authentication is not configured.
RESET – indicates that the URL has been entered with Adaptive Server administrative commands.
READY – indicates that the URL is ready to accept connections.
ACTIVE – indicates that the URL has performed a successful LDAP user authentication.
FAILED – indicates that there is a problem connecting to the LDAP server.
SUSPENDED – indicates that the URL is in maintenance mode, and will not be used.
The following sequence of events describe the failover and manual failback:
The primary and secondary URL sets are configured and in a READY state.
The connections are authenticated using the primary server infrastructure.
The primary server fails, and its state is changed to FAILED.
Connections automatically begin authentication through the secondary server infrastructure.
The primary server is repaired and brought back online by an LDAP administrator. The primary LDAP server state is changed by an Adaptive Server administrator to READY.
New connections are authenticated using the primary server.
Once Adaptive Server has failed over to the secondary
LDAP server, a database administrator must manually activate the
primary LDAP server before it can be used again.
When Adaptive Server encounters errors connecting to an LDAP server, it retries the authentication three times. If the errors persist, the LDAP server is marked as FAILED. See “Troubleshooting LDAP user authentication errors” for information on the LDAP errors that force Adaptive Server into a retry loop.
Use sp_ldapadmin to configure secondary lookup LDAP servers.
To set the secondary DN lookup URL, enter:
sp_ldapadmin set_secondary_dn_lookup_url,
<URL>
To set the administrative access account for the secondary DN lookup URL, enter:
sp_ldapadmin set_secondary_access_acct, <DN>, <password>
To suspend the use of a primary or secondary URL for authentication, enter:
sp_ldapadmin suspend, {primary | secondary}
To activate the set of primary or secondary URLs for authentication, enter:
sp_ldapadmin activate, {primary | secondary}
To display details about the primary and secondary LDAP server settings and status, enter:
sp_ldapadmin list
sp_ldapadmin list combines previous outputs from list_access_acct and list_urls. It has the following expected output for the primary and secondary servers:
Search URL
Distinguished name lookup URL
Access account DN
Active [true | false]
Status [ready | active | failed | suspended | reset]
Adaptive Server version 12.5.4 and later includes the following sp_ldapadmin options that support secondary servers.
To display DN lookup URLs for the secondary server, enter:
sp_ldapadmin list_urls
To display the administrative account for the secondary DN lookup URL, enter:
sp_ldapadmin list_access_acct
To display subcommands, enter:
sp_ldapadmin help
