3.5 Configuring Multiple LDAP Servers for Failover

To configure one or more LDAP servers as failover servers for LDAP authentication:

  1. Log in to the Sentinel server as root user.

  2. Switch to the novell user:

    su - novell

  3. Change to the /etc/opt/novell/sentinel/config directory:

    cd /etc/opt/novell/sentinel/config/

  4. Open the auth.login file for editing:

    vi auth.login

  5. Update the userProvider in the LdapLogin section to specify multiple LDAP URLs. Separate each URL by a blank space.

    For example:

    userProvider="ldap://primary_server_IP:port/BaseDN ldap://failover_server_IP:port/BaseDN"

    For Active Directory, ensure that the BaseDN in the LDAP URL is not blank.

    For more information on specifying multiple LDAP URLs, see the description of the userProvider option in “Class LdapLogin Module”.

  6. Save the changes.

If you are using an SSL connection to the LDAP server and if the LDAP server certificate is not signed by a well-known CA, you must perform the following additional steps:

  1. Export the certificate of each failover LDAP server and copy the certificate file to the /etc/opt/novell/sentinel/config directory on the Sentinel server.

    For more information, see Section 3.2.1, Exporting the LDAP Server CA Certificate.

  2. Ensure that you set the necessary ownership and permissions of the certificate file for each LDAP server. 

    chown novell:novell /etc/opt/novell/sentinel/config/<cert-file>

    chmod 600 /etc/opt/novell/sentinel/config/<cert-file>

  3. Add each LDAP server certificate to the keystore named .ldapkeystore.jks. 

    /opt/novell/sentinel/jre/bin/keytool -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore /etc/opt/novell/sentinel/config/.ldapkeystore.jks -storepass password

    Replace <certificate-file> is the LDAP certificate filename and <alias_name> with the alias name for the certificate to be added.

    IMPORTANT:Ensure that you specify the alias. If no alias is specified, the keytool takes mykey as the alias by default. When you import multiple certificates into the keystore without specifying an alias, the keytool reports an error that the alias already exists.

In some environments, the Sentinel server might not connect to the failover LDAP server if the Sentinel server times out before it finds that the primary LDAP server is down. In such cases, perform the following additional steps to ensure that the Sentinel server connects to the failover LDAP server without timing out:

  1. Open the sysct1.conf file for editing:

    vi /etc/sysctl.conf

  2. Ensure that the net.ipv4.tcp_syn_retries value is set to 3. If the entry does not exist, add the entry. Save the file:

    net.ipv4.tcp_syn_retries = 3

  3. Execute the following commands for the changes to take effect:

    /sbin/sysctl -p

    /sbin/sysctl -w net.ipv4.route.flush=1

  4. Open the server.conf file for editing:

    vi /etc/opt/novell/sentinel/config/server.conf

  5. Set the Sentinel server time out value to 60 seconds by appending a new parameter in the Java Additional Parameters section as follows:

    wrapper.java.additional.53=-Desecurity.remote.timeout=60

  6. Restart the Sentinel server:

    /etc/init.d/sentinel restart