IBM Security Verify

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Hi Rodrigo,

There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu April 01, 2021 10:00 AM
From: Rodrigo Xavier
Subject: SDS HA or master/replica with ISVA

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Thank you, Jon!
We´ll study the customer scenario to check the best solution.

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Original Message:
Sent: Fri April 16, 2021 04:21 AM
From: Jon Harry
Subject: SDS HA or master/replica with ISVA

Hi Rodrigo,

There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 01, 2021 10:00 AM
From: Rodrigo Xavier
Subject: SDS HA or master/replica with ISVA

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Hi Jon:
In the Federated Directory, I can create multiple ones.
When I create a new one, I can find the attributes "Name", "Hostname", and more.
I can add multiple Suffixes, but only 1 hostname. How do I specify the IP address of both SDS Masters?

I only see one possibility, which is adding another entry in the Federated Directory, where I can specify a new one, but with the same suffix.
Is this the correct way to configure a highly available ldap servers?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Fri April 16, 2021 04:21 AM
From: Jon Harry
Subject: SDS HA or master/replica with ISVA

Hi Rodrigo,

There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 01, 2021 10:00 AM
From: Rodrigo Xavier
Subject: SDS HA or master/replica with ISVA

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Hi Joao,

You can only configure a single LDAP server when configuring a new federated directory in the UI.
[It is the same for the "primary" LDAP actually (set up during initial config)]

In both cases, the way to add replicas is to edit the ldap.conf file.  In the LMI, navigate to the Web-->Runtime Component page and then select Manage-->Configuration files-->ldap.conf from the drop-down menu.

In the ldap.conf configuration file you'll find comments that describe how to specify replicas for both the primary and federated directories. It's the same in both cases (addition of replica entries) except that the primary replicas are added in the [ldap] stanza and the federated replicas are added in the [server:<federated directory>] stanza.

As an aside, worth noting that replicas can be configured with a priority (which controls load-balancing and failover behaviour) and with a type (so you can define different behaviour for read vs write operations).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu April 22, 2021 05:27 AM
From: Joao Goncalves
Subject: SDS HA or master/replica with ISVA

Hi Jon:
In the Federated Directory, I can create multiple ones.
When I create a new one, I can find the attributes "Name", "Hostname", and more.
I can add multiple Suffixes, but only 1 hostname. How do I specify the IP address of both SDS Masters?

I only see one possibility, which is adding another entry in the Federated Directory, where I can specify a new one, but with the same suffix.
Is this the correct way to configure a highly available ldap servers?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Fri April 16, 2021 04:21 AM
From: Jon Harry
Subject: SDS HA or master/replica with ISVA

Hi Rodrigo,

There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 01, 2021 10:00 AM
From: Rodrigo Xavier
Subject: SDS HA or master/replica with ISVA

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Thanks.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu April 22, 2021 05:55 AM
From: Jon Harry
Subject: SDS HA or master/replica with ISVA

Hi Joao,

You can only configure a single LDAP server when configuring a new federated directory in the UI.
[It is the same for the "primary" LDAP actually (set up during initial config)]

In both cases, the way to add replicas is to edit the ldap.conf file.  In the LMI, navigate to the Web-->Runtime Component page and then select Manage-->Configuration files-->ldap.conf from the drop-down menu.

In the ldap.conf configuration file you'll find comments that describe how to specify replicas for both the primary and federated directories. It's the same in both cases (addition of replica entries) except that the primary replicas are added in the [ldap] stanza and the federated replicas are added in the [server:<federated directory>] stanza.

As an aside, worth noting that replicas can be configured with a priority (which controls load-balancing and failover behaviour) and with a type (so you can define different behaviour for read vs write operations).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 22, 2021 05:27 AM
From: Joao Goncalves
Subject: SDS HA or master/replica with ISVA

Hi Jon:
In the Federated Directory, I can create multiple ones.
When I create a new one, I can find the attributes "Name", "Hostname", and more.
I can add multiple Suffixes, but only 1 hostname. How do I specify the IP address of both SDS Masters?

I only see one possibility, which is adding another entry in the Federated Directory, where I can specify a new one, but with the same suffix.
Is this the correct way to configure a highly available ldap servers?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Fri April 16, 2021 04:21 AM
From: Jon Harry
Subject: SDS HA or master/replica with ISVA

Hi Rodrigo,

There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 01, 2021 10:00 AM
From: Rodrigo Xavier
Subject: SDS HA or master/replica with ISVA

Hi all,

Which is the best practices using Security Directory Server HA or master/replica with ISVA?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------