Authentication fails using Lightweight Third Party Authentication (LTPA) with a Lightweight Directory Access Protocol (LDAP) server cluster
 Technote (FAQ)
 
Problem
Fix PQ54156 and implementation instructions are available for WebSphere Application Server V4.0.1. This code fix is included in V4.0.2. However, you need the following instructions to use this fix. PQ51744 provided this function for V3.5 releases.
 
Cause
While performing Lightweight Directory Access Protocol (LDAP) search operations, WebSphere Application Server reuses the same initial context and the same network connection, which works fine for a single LDAP server. To perform a search in an LDAP cluster, WebSphere Application Server cannot reuse the same connection and has to make new connections because a search can be routed to different servers.
 
Solution
For V4.0.2, you do not need to apply an efix. However, you do need to use the following instructions to use these features:

Description/problem: If you use Lightweight Third Party Authentication (LTPA) and your LDAP server is a cluster (several backend servers grouped by a router and network dispatcher), and you experience authentication failures or very slow authentication, you might consider using this solution.

Included are two features with which users can change Java Naming and Directory Interface (JNDI) default settings. (You can combine the following two configurations or you can choose one of them).
  1. Allow users to set up a small LDAP search time limit, which is the maximum time to wait for results from the LDAP server.

    To set the time limit of a search, pass the number of milliseconds as a parameter. For example, set a 30 second time limit, by adding the following property to the admin.config file : jndi.LDAP.SearchControl.TimeLimit = 30000

    The Sun JNDI default timeout is set to infinity, and the IBM default timeout to 5 minutes.

    (If your main purpose is failover and your router has affinity, all requests are routed to the same primary server unless the primary server is down, So, if all requests are sent to the same single server in a session, this configuration works.)

    Attention: If the time limit is too small, a search can be suspended before the search is completed.
  2. A URL context implementation is a context that can handle arbitrary URL strings of the URL scheme supported by the context.

    To support URL context implementation, add the following property to the admin.config file:
    jndi.LDAP.URLContextImplementation = true
    If your router spreads requests to different LDAP servers (lack of affinity), you need to turn on this flag.

    Attention: By forcing URL context implementation, each search operation opens a new connection and closes the connection after the search is finished.
 
 
Historical Number
PQ54156
PQ51744
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): HP-UX
Software version: 4.0.1
Software edition:
Reference #: 1051191
IBM Group: Software Group
Modified date: Jan 8, 2004