PingDirectory

Testing external server communications after initial setup

After setting up the basic deployment scenario, the communication between the proxies and the LDAP external servers can be tested using a feature in the proxy server in combination with an LDAP search.

About this task

After initial setup, the PingDirectoryProxy server exposes a special search base distinguished name (DN) for testing external server connectivity, called the backend server pass-through subtree view. While disabled by default, you can enable this feature using dsconfig in the Client Connection Policy menu.

Steps

  1. Run dsconfig to set the include-backend-server-passthrough-subtree-views property to TRUE.

    Example:

    root@proxy-east-01: dsconfig set-client-connection-policy-prop \
    --policy-name default \
    --set include-backend-server-passthrough-subtree-views:true

    Result:

    When set to TRUE, an LDAP search against the PingDirectoryProxy server with the base DN dc=example,dc=com,ds-backend-server=ds-east-02.example.com:389 instructs the PingDirectoryProxy server to perform the search against the ds-east-02.example.com:389 external server with the base DN set to dc=example,dc=com. The value of ds-backend-server should be the name of the configuration object representing the external server. Depending on your naming scheme, this name might not be a host:port combination.

  2. Run ldapsearch to fetch the dc=example,dc=com entry from the ds-east-01.example.com server.

    Perform this search on each external server to determine if external server communication has been configured correctly on the Directory Proxy Server.

    Example:

    root@proxy-east-01: bin/ldapsearch \
    --bindDN "cn=Directory Manager" \
    --bindPassword password \
    --baseDN "dc=example,dc=com,ds-backend-server=ds-east-01.example.com:389" \
    --searchScope base --useStartTLS "(objectclass=*)"
  3. Use this special subtree view to track the operations performed on each external server to help determine load balancing requirements.

    This LDAP search can be run with the base DN values for the ds-east-01 and ds-east-02 servers to track the distribution of search and bind requests over time. These statistics are reset to zero when the server restarts.

    Example:

    The following example searches an external server’s monitor entry to display operation statistics.

    root@proxy-east-01: bin/ldapsearch \
    --bindDN "cn=directory manager" \
    --bindPassword password \
    --baseDN "cn=monitor,ds-backend-server=ds-east-02.example.com:389" \
    --searchScope sub --useStartTLS "(cn=ldap*statistics)"
    
    dn: cn=LDAP Connection Handler 192.168.1.203 port 389
    Statistics,cn=monitor,ds-backend-server=ds-east-02.example.com:389
    
    objectClass: top
    objectClass: ds-monitor-entry
    objectClass: ds-ldap-statistics-monitor-entry
    objectClass: extensibleObject
    cn: LDAP Connection Handler 192.168.1.203 port 389
    Statistics
    connectionsEstablished: 3004
    connectionsClosed: 2990
    bytesRead: 658483
    bytesWritten: 2061549
    ldapMessagesRead: 17278
    ldapMessagesWritten: 22611
    operationsAbandoned: 0
    operationsInitiated: 17278
    operationsCompleted: 14241
    abandonRequests: 22
    addRequests: 1
    addResponses: 1
    bindRequests: 3006
    bindResponses: 3006
    compareRequests: 0
    compareResponses: 0
    deleteRequests: 0
    deleteResponses: 0
    extendedRequests: 2987
    extendedResponses: 2987
    modifyRequests: 1
    modifyResponses: 1
    modifyDNRequests: 0
    modifyDNResponses: 0
    searchRequests: 8271
    searchResultEntries: 8370
    searchResultReferences: 0
    searchResultsDone: 8246
    unbindRequests: 2990