The LDAP URI advisor allows you better gauge Lightweight
Directory Access Protocol (LDAP) availability by processing a complete
request to the LDAP server. The LDAP URI advisor opens a connection
to the LDAP server and sends a BIND request that is based on the advisorrequest
field that you define on the server object. The advisor then waits
for a response from the LDAP server and returns the elapsed time as
a load.
About this task
In situations in which you cannot perform an anonymous bind
request to an LDAP server, you can use the LDAP URI advisor to bind
with an LDAP server that requires a user name and password. The LDAP
URI advisor might provide a more precise measurement of workload,
since the LDAP server will be required to process a complete request
rather perform only an anonymous bind.
Procedure
- Set the advisorrequest field for the server that will use
the LDAP URI advisor.
- Set the advisorrequest field on the server object with
the dscontrol server command. The string you use for the
advisorrequest field must be compliant with the RFC2255 - The LDAP URL
Format, but you need to format the string differently to work
with Load Balancer. Specifically, RFC2255 does not allow for a password
to be provided on the URL line, so Load Balancer has to take a modified
string in the advisorrequest field, and convert that string to an
RFC2255 compliant request. For example, a typical LDAP
request might look like this:
ldapsearch -x -H ldap://bluepages.ibm.com:389 -D
"uid=973524897,c=us,ou=bluepages,o=ibm.com" -w MYPASS -b "ou=bluepages,o=ibm.com" mail=user@us.ibm.com
To
use this in Load Balancer's advisorrequest field, you should modify
the string to look like this:ldap://bluepages.ibm.com:389/ou=bluepages,o=ibm.com??sub?(mail=user@us.ibm.com)?bindname=uid=973524897,c=us,ou=bluepages,o=ibm.com?!bindpass=MYPASS
To
use this advisorrequest string with the dscontrol server command,
your command would look like this:dscontrol server set cluster@server@port advisorrequest "ldap://bluepages.ibm.com:389/ou=bluepages,o=ibm.com??sub?(mail=user@us.ibm.com)?bindname=uid=973524897,c=us,ou=bluepages,o=ibm.com?!bindpass=MYPASS"
Avoid trouble: Be aware of the following:
- Note the ?!bindpass=MYPASS extension that is used in the examples.
Replace MYPASS with the password that is used to authenticate the
LDAP request.
- Certain characters must be escaped using the % method that is
described in RFC 1738. You must escape any of the following characters:
- URL-illegal characters, like spaces.
- URL special characters, as defined in section 2.2 of RFC 1738.
- The reserved character '?', which is the ACSCII 63 character,
when it appears inside a dn, filter, or other element of an LDAP URL.
- A comma character ',' if it occurs inside an extension value.
gotcha
- Optional: Set the advisorresponse field
on the server object. If you set this field, you must set the value
to a substring that is expected to be present in the response from
the LDAP server.
- Start the LDAP URI advisor. To start the
LDAP URI advisor, use the dscontrol
advisor command:
dscontrol advisor start ldapuri cluster@port
Avoid trouble: Verify that you are using the LDAP URI advisor,
and not the LDAP advisor. The LDAP advisor only supports anonymous
bind requests to LDAP servers.
gotcha