IBM Security Verify

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Hi David,  Below are my two cents...

My assumption is that the current microservices component can differentiate between a write and read request before sending the request to write/read server.

When using ISVA, we need to identify the transactions native/custom to WebSEAL/SCIM/AAC components and then route the transactions accordinly to write or read server.

For example

1. If SCIM is used for Self-care, the connection settings could be pointed to Write server.

2. If WebSEAL/infomap is primarily used for AuthN and AuthZ purposes, you can just simply point to read-only replicas

3. Other option is to use an InfoMap solution that can emulate the write/read transactions of microservices and use the appropriate connection settings to call write or read server.

Hope it helps..


Regards,

Rama

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Hi David,  Below are my two cents...

My assumption is that the current microservices component can differentiate between a write and read request before sending the request to write/read server.

When using ISVA, we need to identify the transactions native/custom to WebSEAL/SCIM/AAC components and then route the transactions accordinly to write or read server.

For example

1. If SCIM is used for Self-care, the connection settings could be pointed to Write server.

2. If WebSEAL/infomap is primarily used for AuthN and AuthZ purposes, you can just simply point to read-only replicas

3. Other option is to use an InfoMap solution that can emulate the write/read transactions of microservices and use the appropriate connection settings to call write or read server.

Hope it helps..


Regards,

Rama

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Hello David,

As Scott mentioned before we do have the ability to define LDAP replicas for the Reverse Proxy component.

The 'ldap.conf' has the following types of entries:

host

replica

The 'host' entry is the equivalent to 'ldaphost,port,readwrite,5' with respect to how it acts with the defined replicas.

The defined replicas take a hostname, port, mode, and priority with '10' being the highest.

If you wanted a scenario where writes only went to the primary and reads all went to other servers you could set up your ldap.conf like so:

[ldap]

...

host = primaryserver.dns.domain

port = 636

...

replica = readonlymember1.dns.domain,636,readonly,10

replica = readonlymember2.dns.domain,636,readonly,10

replica = readonlymemberN.dns.domain,636,readonly,10

replica = readonlymember9.dns.domain,636,readonly,10

This would tell the Reverse Proxy to make read requests to the pool of replicas unless they were not available at which point it would send read requests to the priority '5' server, unless that was also unreachable.

Here are the documentation references for each:

'host' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-host
'port' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-port
'replica' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-replica

These three entries used together determine how the Reverse Proxy instance communicates with the directory servers.

I believe the above information was also provided via slack as well.

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Hello David,

As Scott mentioned before we do have the ability to define LDAP replicas for the Reverse Proxy component.

The 'ldap.conf' has the following types of entries:

host

replica

The 'host' entry is the equivalent to 'ldaphost,port,readwrite,5' with respect to how it acts with the defined replicas.

The defined replicas take a hostname, port, mode, and priority with '10' being the highest.

If you wanted a scenario where writes only went to the primary and reads all went to other servers you could set up your ldap.conf like so:

[ldap]

...

host = primaryserver.dns.domain

port = 636

...

replica = readonlymember1.dns.domain,636,readonly,10

replica = readonlymember2.dns.domain,636,readonly,10

replica = readonlymemberN.dns.domain,636,readonly,10

replica = readonlymember9.dns.domain,636,readonly,10

This would tell the Reverse Proxy to make read requests to the pool of replicas unless they were not available at which point it would send read requests to the priority '5' server, unless that was also unreachable.

Here are the documentation references for each:

'host' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-host
'port' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-port
'replica' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-replica

These three entries used together determine how the Reverse Proxy instance communicates with the directory servers.

I believe the above information was also provided via slack as well.

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance

Is it mandatory to use secure port  and the associated certificate database for LDAP instances? I tried but I get these errors

Hello David,

As Scott mentioned before we do have the ability to define LDAP replicas for the Reverse Proxy component.

The 'ldap.conf' has the following types of entries:

host

replica

The 'host' entry is the equivalent to 'ldaphost,port,readwrite,5' with respect to how it acts with the defined replicas.

The defined replicas take a hostname, port, mode, and priority with '10' being the highest.

If you wanted a scenario where writes only went to the primary and reads all went to other servers you could set up your ldap.conf like so:

[ldap]

...

host = primaryserver.dns.domain

port = 636

...

replica = readonlymember1.dns.domain,636,readonly,10

replica = readonlymember2.dns.domain,636,readonly,10

replica = readonlymemberN.dns.domain,636,readonly,10

replica = readonlymember9.dns.domain,636,readonly,10

This would tell the Reverse Proxy to make read requests to the pool of replicas unless they were not available at which point it would send read requests to the priority '5' server, unless that was also unreachable.

Here are the documentation references for each:

'host' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-host
'port' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-port
'replica' : https://www.ibm.com/docs/en/sva/10.0.5?topic=ldapconf-replica

These three entries used together determine how the Reverse Proxy instance communicates with the directory servers.

I believe the above information was also provided via slack as well.

Hi Scott, thanks for your anwser, It is clear to me that we can have multiple LDAP servers in replica and in various modes (read / write) but can it be guaranteed that the LDAP Master server only receives write requests (not read request)? This operational model for LDAP servers currently works and the client would like to maintain it.

Hi Team.. A customer uses a home-made microservices layer to authenticate their applications to the IBM LDAP, all writes go to the LDAP Master, all reads go to the LDAP replicas. Customer is evaluating the possibility of replacing the microservices with Verify Access but wants to keep the scheme that write operations only go to the LDAP Master and write operations go to the LDAP replicas. Is this possible? Does Verify Access depend on something else? Some clue? Thanks in advance