PingDirectory

Creating an LDAP external server template

An LDAP external server template is a configuration object that can be used to provide a load-balancing algorithm with many of the settings that it should use when communicating with a backend server that has been discovered from the topology registry.

An LDAP external server template configuration object has most of the same properties as an LDAP external server configuration object but omits those related to information that it obtains from the topology registry. The omitted properties include:

  • server-host-name

  • server-port

  • location

  • connection-security

Additionally, the health-check-state property is not available for LDAP external server templates because it primarily applies to individual servers rather than all of the servers associated with a load-balancing algorithm.

Because the only LDAP servers which can be in the topology registry are PingDirectory servers, most of the remaining properties in LDAP external server templates have the same default values as the corresponding properties in the PingDirectory server external server type. However, there are exceptions, including the following:

  • The authentication-method property has a default value of inter-server in LDAP external server templates while it has a default value of simple in PingDirectory server external servers. The inter-server authentication type indicates that the PingDirectoryProxy server should authenticate to the PingDirectory server with a proprietary authentication method that uses inter-server certificates stored in the topology registry.

    This option is only supported if all of the PingDirectory server instances are 8.0.0.0 or later.

  • The key-manager-provider property has a default value of Null in LDAP external server templates, while it has no default value in PingDirectory server external servers. When using the inter-server authentication type, the topology registry is used to obtain the inter-server certificates, so no additional key manager provider is required.

  • The trust-manager-provider property has a default value of JVM-Default in LDAP external server templates while it has no default value in PingDirectory server external servers. When using the inter-server authentication type, the topology registry is used to obtain information about the listener certificates that the servers are expected to present.

In many cases the PingDirectoryProxy server’s default settings for an LDAP external server template are acceptable for most properties. However, you might want to add custom health checks that are invoked against servers created from the template. The PingDirectoryProxy server automatically checks to see whether the server reports any degraded or unavailable alert types, and also verifies that the backend server’s root DSA-specific entry (DSE) is accessible in a timely manner, but you might want to add additional health checks including the following:

  • A search health check that verifies that the base entry from the associated subtree view can be retrieved in a timely manner.

  • A replication backlog health check that verifies that replication is working and that none of the servers is too far out of sync.

The following example demonstrates the process for creating these health checks and then creating an LDAP external server template that uses them.

# Create a health check to verify that the dc=example,dc=com entry can be
# retrieved in a timely manner.
dsconfig create-ldap-health-check \
     --check-name dc_example_dc_com-retrieve-base-entry \
     --type search \
     --set enabled:true \
     --set base-dn:dc=example,dc=com \
     --set allow-no-entries-returned:false \
     --set allow-multiple-entries-returned:false

# Create a health check to verify that replication is working without a
# significant backlog.
dsconfig create-ldap-health-check \
     --check-name dc_example_dc_com-replication-backlog \
     --type replication-backlog \
     --set enabled:true \
     --set base-dn:dc=example,dc=com

# Create an LDAP external server template with the above
dsconfig create-ldap-external-server-template \
     --template-name dc_example_dc_com \
     --set health-check:dc_example_dc_com-retrieve-base-entry \
     --set health-check:dc_example_dc_com-replication-backlog