11.5 Configuring Multiple LDAP Servers for Failover

To configure one or more LDAP servers as failover servers for LDAP authentication:

  1. Log in to the Sentinel Log Manager server as root user.

  2. Switch to novell user.

    su - novell

  3. Change to the /etc/opt/novell/sentinel_log_mgr/config directory:

    cd /etc/opt/novell/sentinel_log_mgr/config/

  4. Open the auth.login file for editing.

    vi auth.login

  5. Update the userProvider in the LdapLogin section to specify multiple LDAP URLs. Separate each URL by a blank space.

    For example:

    userProvider="ldap://primary_server_IP:port/BaseDN ldap://failover_server_IP:port/BaseDN"

    NOTE:For Active Directory, ensure that the BaseDN in the LDAP URL is not blank.

    For more information on specifying multiple LDAP URLs, see the description of the userProvider option in Class LdapLogin Module.

  6. Save the changes.

If you are using an SSL connection to the LDAP server and if the LDAP server certificate is not signed by a well-known CA, you must perform the following additional steps:

  1. Export the certificate of each failover LDAP server and copy the certificate file to the /etc/opt/novell/sentinel_log_mgr/config directory on the Sentinel Log Manager server.

    For more information, see Section 11.2.1, Exporting the LDAP Server CA Certificate.

  2. Ensure that you set the necessary ownership and permissions of the certificate file for each LDAP sever. 

    chown novell:novell /etc/opt/novell/sentinel_log_mgr/config/<cert-file>

    chmod 600 /etc/opt/novell/sentinel_log_mgr/config/<cert-file>

  3. Add each LDAP server certificate to the keystore named activemqkeystore.jks. 

    /opt/novell/sentinel_log_mgr/jre/bin/keytool -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore /etc/opt/novell/sentinel_log_mgr/config/.activemqkeystore.jks -storepass password

    where <certificate-file> is the LDAP certificate filename and <alias_name> is the alias name for the certificate to be added.

    IMPORTANT:Ensure that you specify the alias. If no alias is specified, the keytool takes mykey as the alias by default. When you import multiple certificates into the keystore without specifying an alias, the keytool reports an error that the alias already exists.

You have now successfully configured LDAP servers for failover.