2.5 Configuring Back-End Servers

A back-end server is a directory server to which LDAP Proxy is connected. Using the back-end server, Proxy intercepts and processes the requests based on certain policies, and then forwards the requests to the back-end servers.

To facilitate the load balancing and fault tolerance feature of LDAP Proxy, a minimum of two back-end servers must be configured to LDAP Proxy. Periodically, a health check must be performed on the directory server to identify any performance degradation.

You can configure additional back-end servers for the proxy configuration depending on your needs. The <list-backend-server> node in the configuration file lists all the back-end servers configured for the proxy. The additional back-end servers must be defined in this node.

For instance, if you want to define a back-end server, Backend1, to use the LDAP protocol. The back-end server listens on IP address 192.168.1.3 and port 389 for incoming requests. You can define the configuration as follows:

<list-backend-server health-check-interval-secs="7200">
 <backend-server id-backend-server="Backend1">
  <service protocol="ldap">
   <addr-ipv4>192.168.1.3</addr-ipv4>
   <port>389</port>
  </service>
 </backend-server>
</list-backend-server>

2.5.1 Configuration Parameters For Back-End Server

The following elements and attributes that are used to configure back-end servers:

<backend-server>: Specifies that the element configured is a back-end server. This element can have the following attributes defined:

  • id-backend-server: The identity of the back-end server. The value of this attribute defines the server. It must be a unique alphanumeric value.

  • max-connections: The maximum number of connections that are handled by the back-end server. This is an optional attribute.

    In Example 1, the attribute value is 5000. This indicates that the Backend1 server can handle 5000 connections.

  • capability: The capability of the back-end server relative to the other servers. In Example 1, the capability of the back-end server Backend 1 is 1 and the capability of the back-end server Backend 2 is 5. In this case, Backend 2 can be loaded five times more than the Backend 1. This is an optional attribute.

    The <backend-server> element can have the following child elements:

  • <service>: Specifies how LDAP Proxy sends requests to the back-end server. It must have the following attributes:

    • protocol: The protocol that the proxy server uses to send requests to the back-end server. The attribute value can be ldap or ldaps.

      NOTE:If you specify the protocol as ldaps, you must place the certificate file in the /etc/opt/novell/ldapproxy/conf/ssl/trustedcert directory.

    The <service> element can have the following child elements:

    • <addr-ipv4>: The IP address of the system on which the back-end server is installed.

    • <port>: The port on which the back-end server receives requests.

    • <addr-dns>: The domain name of the system where the back-end server is installed.

    • <tls-opts>: A configuration option to specify the Transport Layer Security (TLS) parameters when protocol is LDAPS. For more information, see Configuring Secured Communication Using TLS Parameters.

      NOTE:If the TLS configuration of LDAP Proxy disables a version of protocol and enables the lower version, Proxy will use the lower version of the protocol to connect to the backend server. If the backend server is not configured with this lower version of the protocol, TLS Handshake fails. For example, if your backend server does not allow SSLv3 and LDAP Proxy is configured with +SSLv3+TLSv1.1, then Proxy will use SSLv3 to connect to the backend server and connection will fail.

  • <connection-pool>: The number of LDAP connections that are cached and maintained by the proxy server so that the connections are reused when the proxy server receives future request.

    The <connection-pool> element can have the following child elements:

    • <start-pool-size>: Specifies the number of LDAP connections that are cached and maintained by the proxy server. The value must always be less than the max-connections attribute value. For instance, in Example 1, the max-connections value is 5000, whereas the connection-pool value specified is 256.

    • <bind-dn>: If anonymous bind is disabled on a particular server, then to nullify the connection identity you must specify the User Distinguished Name (user DN). To nullify a connection with a particular bind dn, specify the required DN.

      Use the passwdstore utility to set the user DN password.

      passwdstore [-a username] [-w password]

      Replace username with the user DN for authentication and password is the user DN password for authentication.

      IMPORTANT:Ensure that you specify the correct password, because if the authentication fails, the user account might be locked.

      For example:

      passwdstore -a admin -w pass

      NOTE:It is not recommended to use admin DN to nullify a connection. Ideally, it should be a DN with the least privileges.

    • <health-check>: Performs periodic health checks to determine the response time of the back-end server. This is an optional element.

      If you specify this parameter, the proxy periodically sends an LDAP Bind request to the back-end server and calculates the response time of the request.

      To specify the response time of the back-end server, you must use the following attribute:

      • max-response-time-ms: The maximum time (in milliseconds) within which a back-end server must respond when it receives an LDAP Bind request. If it does not respond within the specified time, the back-end server is identified as a slow server. In Example 1, the attribute value is 5000. This indicates that the Backend1 server must respond to any request within 5000 milliseconds.

      • <req-ldap-bind>: The DN with which the Bind request must be performed to detect a server that is slow to respond.

2.5.2 Configuring Back-End Server on a Secure Port

To configure a back-end server on a secure port, complete the following steps:

  1. Obtain the root CA certificate in the pem format from the LDAP server for configuring the back-end directory (eDirectory, Active Directory and OpenLDAP).

  2. Copy the root CA certificate to the /etc/opt/novell/ldapproxy/conf/ssl/trustedcert/ directory.

  3. Replace the x.x.x.x in the <addr-ipv4> field with your LDAP server IP address and provide the LDAP server secure port in the nlpconf.xml file.

    Ensure that you define the protocol as ldaps under the <service protocol> tag as shown below:

    <list-backend-server health-check-interval-secs="60">
           <backend-server id-backend-server="Backend1">
                 <service protocol="ldaps">
                        <addr-ipv4>x.x.x.x</addr-ipv4>
                        <port>636</port>
                 </service>
           </backend-server>
           <backend-server id-backend-server="Backend2">
                 <service protocol="ldaps">
                        <addr-ipv4>x.x.x.x</addr-ipv4>
                        <port>636</port>
                 </service>
           </backend-server>
    </list-backend-server>
  4. Save the nlpconf.xml file.

NOTE:LDAP Proxy reads the nlpconf.xml file during startup. For the configuration changes to take effect, restart LDAP Proxy. For more information, see Restarting LDAP Proxy.

2.5.3 Configuring Back-End Server on a Non-Secure Port

To configure the back-end server on a non-secure port, complete the following steps:

  1. Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory.

  2. Under the <backend-server> configuration, provide the IP address and the non-secure port of your LDAP server in the <addr-ipv4> and <port> entries.

    Ensure that you define the protocol as ldap under the <service protocol> tag as shown below:

    <list-backend-server health-check-interval-secs="60">
           <backend-server id-backend-server="Backend1">
                 <service protocol="ldap">
                        <addr-ipv4>x.x.x.x</addr-ipv4>
                        <port>389</port>
                 </service>
           </backend-server>
           <backend-server id-backend-server="Backend2">
                 <service protocol="ldap">
                        <addr-ipv4>x.x.x.x</addr-ipv4>
                        <port>389</port>
                 </service>
           </backend-server>
    </list-backend-server>
  3. Save the nlpconf.xml file.

NOTE:LDAP Proxy reads the nlpconf.xml file during startup. For the configuration changes to take effect, restart LDAP Proxy. For more information, see Restarting LDAP Proxy.

2.5.4 Configuring Additional Back-End Servers

Manually Configuring Additional Back-End Servers

To add a back-end server in the nlpconf.xml file, perform the following steps:

  1. Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.

  2. To add a back-end server to the existing configuration, create an instance of the following section within the <list-backend-server> node:

    <backend-server id-backend-server="Backend1">
     <service protocol="ldap">
      <addr-ipv4>x.x.x.x</addr-ipv4>
      <port>389</port>
     </service>
    </backend-server>
  3. Specify the following required information in the newly created instance:

    • The name to identify the back-end servers you are configuring.

    • The IP address or the domain name of the system on which the back-end server is installed.

    • The protocol as either ldap or ldaps.

    • The port number on which the back-end server receives requests.

  4. (Optional) Define the following optional parameters to enhance the performance of the back-end server:

    • The maximum time within which a request must receive a response.

    • The maximum number of connections that are handled by the back-end server.

    • The capability of the back-end server relative to the other servers. For example, if the capability of a back-end server is 2, it can be loaded two times more than the other servers.

    • The number of the connection pool to be created.

    For information about the elements/attributes that are used to define these parameters, refer to Configuration Parameters For Back-End Server.

  5. (Optional) Specify the time interval for performing a health check on all the listed back-end servers. This parameter is defined at the <list-backend-server> level, as shown in the sample configuration.

  6. To add more back-end servers, repeat Step 2 to Step 4.

  7. Save the nlpconf.xml file.

Configuring Additional Back-End Servers Using NLPManager

You can configure additional back-end servers in the proxy configuration, by using the Backend Servers tab.

  1. Run the ./NLPManager command to start NLPManager.

  2. To open the nlpconf.xml file, In the Provisioning menu, click Open Configuration:

    The Open dialog box appears.

  3. Browse to the nlpconf.xml file in the /etc/opt/novell/ldapproxy/conf directory and click Open. The conf directory is available on the machine where you installed LDAP Proxy.

    If NLPManager and LDAP Proxy are installed on different machines, you must either save the nlpconf.xml file on the machine where you installed NLPManager or map a network drive to the machine where you installed proxy.

    The proxy configuration is displayed in the Project Explorer pane.

  4. Click the Backend Servers option.

    The Backend Servers tab is displayed.

  5. To add a back-end server, click the icon.

    The Add New Backend Server window is displayed.

  6. Specify a name to identify the back-end server you are configuring and click OK. The name must be a unique alphanumeric value.

    The back-end server configuration fields are displayed in the Editor pane.

  7. Specify a time interval for performing a health check on all the listed back-end servers:

    1. Click the drop-down list.

    2. Specify a time interval to perform health checks to detect slow or unavailable back-end servers. By default, the interval is set to 60 seconds.

  8. Specify the following configuration details:

    • Address Type: The address type of the interface through which the directory servers receive the requests from LDAP Proxy.

      To provide the IP address of the LDAP directory server, select IPv4 or IPv6.

      To provide the domain name of the LDAP directory server, select DNS.

    • Address: The value of the IP address or domain name, depending on the address type you specified.

    • Protocol: Specify either ldap or ldaps.

      If you specify the protocol as ldaps, You must place the certificate file in the conf/ssl/trustedcert directory.

    • Port: The port number of the directory server.

  9. (Optional) To enhance the performance of the back-end server, configure the following optional fields:

    • Maximum Connections: The maximum number of connections that can be handled by the back-end server.

    • Capability: The capability of the back-end server relative to the other servers. For example, if the capability of a back-end server is 2, it can be loaded two times more than the other servers.

    • Connection Pool: Specify if a connection pool must be created. Then specify the pool size value in the Start Pool Size field.

    • Use Anonymous Login: Specify if anonymous login is required to create a connection pool. If Anonymous Bind is disabled on a particular server, you must specify the User Distinguished Name (user DN) in the associated Bind DN field to nullify the connection identity.

    • Bind DN: Use to nullify a connection identity.

    • Start Pool Size: The number of connections to be created so that these connections can be reused for incoming requests. The value must always be less than the maximum connections value you specify.

    • Health Check: Whether a health check must be performed to detect a slow server. If you select this field, you must specify the Bind DN and Maximum Response Time.

    • Bind DN: The User DN on which the health check must be performed.

    • Maximum Response Time: The maximum time within which a request must receive a response.

  10. To add more back-end servers, repeat Step 5 to Step 8.

  11. To delete a back-end server, select the server from the list and click the icon.

  12. Click Provisioning > Save to save the changes.

2.5.5 Examples

Example 1

<list-backend-server health-check-interval-secs="7200">
 <backend-server id-backend-server="Backend1" capability="1" max-connections="5000">
  <service protocol="ldap">
   <addr-ipv4>192.168.1.4</addr-ipv4>
   <port>389</port>
  </service>
  <connection-pool>
   <start-pool-size>256</start-pool-size>
  </connection-pool>
  <health-check max-response-time-ms="5000">
   <req-ldap-bind>
    <bind-dn>cn=dummy,o=my_company<bind_dn>
   <req-ldap-bind>
  </health-check>
 </backend-server>
</list-backend-server>

In Example 1, the back-end server is identified as Backend1. It is defined to use the LDAP protocol for communication with the back-end server. The interface is defined by IP address 192.168.1.4 and port 389. This example also specifies to perform a health check every 7200 seconds, the capability as 1, and max-connections to be allowed as 5000. The connection-pool size is 256. It also defines a bind request to detect a slow server. The max-response time specified is 5000 milliseconds and the User DN is cn=dummy,o=novell.

<list-backend-server health-check-interval-secs="7200">
       <backend-server id-backend-server="Backend1" capability="1" max connections="5000">
             <service protocol="ldap">
                    <addr-ipv6>[2015::37]</addr-ipv6>
                    <port>389</port>
             </service>
             <connection-pool>
               <start-pool-size>256</start-pool-size>
             </connection-pool>
             <health-check max-response-time-ms="5000">
               <req-ldap-bind>
                 <bind-dn>cn=user1,o=company1<bind_dn>
               <req-ldap-bind>
             </health-check>
       </backend-server>
       <backend-server id-backend-server="Backend2" capability="5" max connections="7000">>
             <service protocol="ldap">
                    <addr-ipv4>192.168.1.1</addr-ipv4>
                    <port>1389</port>
             </service>
             <connection-pool>
               <start-pool-size>256</start-pool-size>
             </connection-pool>
             <health-check max-response-time-ms="5000">
               <req-ldap-bind>
                 <bind-dn>cn=user2,o=company2<bind_dn>
               <req-ldap-bind>
             </health-check>
       </backend-server>
</list-backend-server>

In Example 1, the back-end servers are identified as Backend1 and Backend1. They are defined to use the LDAP protocol for communication with the back-end server. The interface is defined by IPv6 and IPv4 addresses respectively on ports 389 and 1389. This example also specifies to perform a health check every 7200 seconds. It also specifies the capability as 1 and 5, max-connections to be allowed as 5000 and the connection-pool size is 256. It also defines a bind request to detect a slow server. The max-response time specified is 5000 milliseconds and the User DNs are cn=user1 and o=company1, and cn=user2 and o=company2.

Example 2

<list-backend-server>
 <backend-server id-backend-server="Backend1" max-connections="3000">
  <service protocol="ldaps">
   <addr-ipv4>192.168.1.1</addr-ipv4>
   <port>636</port>
  </service>
 </backend-server>
 <backend-server id-backend-server="Backend2">
  <service protocol="ldap">
   <addr-ipv4>192.168.1.3</addr-ipv4>
   <port>3389</port>
  </service>
 </backend-server>
</list-backend-server>

In Example 2, two back-end servers are defined as Backend1 and Backend2. Backend1 is defined to use the ldaps protocol and the interface is defined by IP address 192.168.1.1 and port 636. It also specifies the max-connections to be allowed as 3000. Backend2 is defined to use the ldap protocol, and the IP address 192.168.1.3, and the port 3389.

2.5.6 Configuring Server Groups

Server group consists of a number of back-end servers that are configured for LDAP Proxy. Configuring servers into server groups enables the proxy to balance the load between the servers (load balancing) and route requests from a failed server to an active server.

Configuring servers into server groups enables the proxy to balance the load between the servers (load balancing) and route requests around a failed server to an active server (failover).

LDAP Proxy supports both connection-based and dynamic load balancing. When a new connection request is received, the load balancer determines the destination back-end server by calculating the load on each back-end server within a group and identifying the least loaded server and routes the new connection to it. All subsequent requests received for that connection are routed to the same back-end server until the connection is terminated.

In a connection-based load balancing, the load is calculated based on following two factors:

  • The number of active connections

  • The relative capability weight of each back-end server

    When all the servers are of equal capability, the connections are routed in a round-robin fashion.

    During proxy configuration, you must specify the relative capability weight of each back-end server in the group. Relative capability weight can be determined based on the hardware configuration of the server.

In dynamic load balancing, the load is calculated based on the following two factors:

  • The total number of outstanding and pending requests on each back-end server

  • The current average response time of each back-end server, which is calculated periodically by performing health checks

The factors used for dynamic load balancing provide a more accurate indication of the performance of the back-end servers within a group. Therefore, dynamic load balancing is preferred to connection-based load balancing. For information about how to configure back-end server groups, refer to Configuring Server Groups.

The <list-load-balancer> node in the configuration file lists all the back-end server groups configured for the proxy. Additional back-end server groups must be defined in this node.

For instance, if you want to define a back-end server group, connld, to be configured with back-end servers Backend1 and Backend3 as a part of this connection-based server group. You can define the configuration, as follows:

<list-load-balancer>
 <lb-conn-based id-load-balancer="connld">
  <ref-backend-server>Backend1</ref-backend-server>
  <ref-backend-server>Backend3</ref-backend-server>
 </lb-conn-based>
<list-load-balancer>

Configuration Parameters for Server Groups

The following elements and parameters are used to configure back-end server groups:

  • <lb-conn-based>: The configured element is a connection-based load balancer.

  • <lb-dynamic-load-based>: The configured element is a dynamic load balancer.

    Both the <lb-conn-based> and <lb-dynamic-load-based> elements must have the following attribute:

    • id-load-balancer: The identity of the load balancer (back-end server group). This is a mandatory attribute and its value is used to refer to the load balancer. It must be a unique alphanumeric value. In the sample configuration, the back-end server is identified as connld.

    Both the <lb-conn-based> and <lb-dynamic-load-based> elements must have the following child element:

    • <ref-backend-server>: The back-end server to be grouped in the defined back-end server group. The term ref in this element indicates that this element is actually a pointer to a back-end server. For instance, the sample configuration indicates that the specified connection-based server group is made up of the Backend1 and Backend3 back-end servers.

  • <lb-priority-based>: The configured element is a priority-based load balancer.

    You can configure a priority-based load balancer with a set of servers given in a specific order and have the load balancer to always route to the high priority servers when they are up, as shown in the following example:

    <lb-priority-based id-load-balancer="backend-grp1">
           <ref-backend-server>Backend2</ref-backend-server>
           <ref-backend-server>Backend1</ref-backend-server>
    </lb-priority-based>
    <lb-priority-based id-load-balancer="backend-grp2">
           <ref-backend-server>Backend1</ref-backend-server>
    </lb-priority-based>

    In the preceding example, the load balancer backend-grp1 with server Backend2 is the highest priority server and Backend1 has the second highest priority. If you choose backend-grp1, it will always route to server Backend1. The load balancer backend-grp2 will always route to Backend1 and if Backend1 is not available, the operation fails.

Configuring Additional Server Groups

Manually Configuring Additional Server Groups

To add a back-end server group manually, perform the following steps:

  1. Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.

  2. To add a back-end server group to the existing configuration, create an instance of the following section within the <list-load-balancer> node:

    <list-load-balancer>
     <lb-conn-based id-load-balancer="connld">
      <ref-backend-server>Backend1</ref-backend-server>
      <ref-backend-server>Backend3</ref-backend-server>
     </lb-conn-based>
    <list-load-balancer>
  3. In the newly created instance, provide a name for the new back-end server group.

  4. Provide the name of the back-end servers that you want to configure in this group. If you have more than two servers, add additional <ref-backend-server> elements to define each back-end server.

    For information about the elements/attributes that are used to define these parameters, refer to Configuration Parameters for Server Groups.

  5. To add more back-end server groups, repeat Step 2 to Step 4.

  6. Save the nlpconf.xml file.

Configuring Additional Server Groups Using NLPManager

You can configure additional back-end server groups to the proxy configuration by using the Backend Server Group tab.

  1. Run the ./NLPManager command to start NLPManager.

  2. To open the nlpconf.xml file, do one of the following:

    • Click the . icon.

    • In the Provisioning menu, click Open Configuration.

    The Open dialog box appears.

  3. Browse to the nlpconf.xml file in the /etc/opt/novell/ldapproxy/conf directory and click Open.

    The conf directory is available on the machine where you installed LDAP Proxy.

    If NLPManager and LDAP Proxy are installed on different machines, you must either save the nlpconf.xml on the machine where you have installed NLPManager or map a network drive to the machine where you installed the proxy.

    The proxy configuration is displayed in the Project Explorer pane.

  4. Click the Backend Server Groups option in the Project Explorer pane.

    The Backend Server Group tab is displayed. By default, one server group is defined, and both of the default back-end servers are defined in this group. You can add more groups and include other servers in each group.

  5. To add a server group, click the icon.

    The Add New Server Group window is displayed.

  6. Specify a name to identify the back-end server group you are configuring and click OK. The name must be a unique alphanumeric value.

    The server group configuration is displayed.

  7. Specify the following:

    • Load Balancing: Whether the type of load balancing is Connection Based, Dynamic, or Priority Based.

    • Selected Servers: The back-end servers to be defined in the server group. You can use the arrow buttons to sort servers between the Selected Servers and Available Servers lists.

  8. To add more server groups, follow Step 5 to Step 7.

  9. To delete a server group, select the server group and click the icon.

  10. Click Provisioning > Save to save the changes.

To configure message policies, refer to Configuring Policies.

Example:

<list-load-balancer>
 <lb-conn-based id-load-balancer="connld">
  <ref-backend-server>Backend1</ref-backend-server>
  <ref-backend-server>Backend3</ref-backend-server>
 </lb-conn-based>
<lb-dynamic-load-based id-load-balancer="dyld">
  <ref-backend-server>Backend2</ref-backend-server>
  <ref-backend-server>Backend4</ref-backend-server>
 </lb-dynamic-load-based>
<list-load-balancer>

In this example, two back-end server groups are defined as connld and dynld. Connld indicates that a connection-based load balancing is performed between Backend1 and Backend3. dyld indicates that dynamic load balancing is performed between Backend2 and Backend4.