Let me share this info in case you need to add standalone LDAP failover servers for Security Domains, especially in the case of Websphere Application Server v7.
Using Jython to add failover servers to the standalone LDAP registry in WebSphere Application Server v7, v8, and v8.5
IBM WebSphere Application Server Network Deployment allows administrators to configure LDAP servers in the User Registry configuration.
To prevent an outage because of a failing LDAP server it is possible to specify additional LDAP servers for failover.
The AdminConsole in IBM WebSphere Application Server v7 provides a dialog to configure failover servers for LDAP repositories within the federated repository, however, there is no such dialog for the standalone LDAP repository.
The AdminConsole of the versions v8 and v8.5 allows to configure the failover servers for standalone LDAP repositories.
Note that the remaining part of this article targets solely on adding failover LDAP servers to the standalone LDAP repository.
Configuring the fail-over servers using the AdminConsole of v8 and v8.5
The following screenshot shows the relevant part of the AdminConsole to configure the failover servers for a user registry of a security domain.
Current solutions and limitations in v7
The KnowledgeCenter for WebSphere Application Server Network Deployment 7.0.0 provides instructions to configure failover servers via scripting, however, they only work for the Global Security:
Security failover among multiple LDAP servers
Configuring multiple LDAP servers for user registry failover
Using wsadmin commands to configure stand-alone fail-over LDAP servers for Security Domains
This article introduces a sample Jython script – to be used with wsadmin – that allows configuring the failover servers also for Security Domains as well as for the Global Security.
It can be used for both a cell topology and a standalone Application Server and the release versions v7, v8, and v8.5.
In fact it should be suited for almost all cases since it uses arguments to cover different use cases, as:
Specify the action, namely:
„ADD“ which appends the specified ldap server to the list of failover servers, or
„SET“ clears the list of failover servers and sets the specified ldap server as first, or (primary) server
„SHOW“ prints out the list of failover servers
In case „ADD“ or „SET“ is used:
Choose the LDAP host name and port number
Specify the Security Domain, otherwise Global Security is used
The ADD and SET commands allow to configure invalid host names and/or ports which are not verified like in the AdminConsole in similar cases!
The script does not check whether the LDAP repository is selected as user registry. If another realm type is used (e.g. local operating system), the configuration is changed, but will not be effective until the LDAP repository is selected.
For „ADD“ and „SET“ the script prints out the path (in a descriptive way) of the configuration file that contains the new list of fail-over servers.
# A script to add failover ldap servers to a User Registry with a stand-alone LDAP server in WAS v7,v8, and v8.5
# Note: In WAS 7 there is no way to do this in the AdminConsole.
# In WAS 8 or later you can also use the AdminConsole and also AdminTask.configureAppLDAPUserRegistry.
# Use a comma seperated list for AdminTask.configureAppLDAPUserRegistry to configure the list of ldap servers
# @author: Sascha Matthes, IBM
# 2015/12/10 Verified for WAS 8 and 8.5 also
# 2015/12/09 - removed action CLEAR (leads to empty host/port)
# - introducded action SHOW
# 2015/10/01 - supports also Global Security now
# (not just Security Domains)
# - introducded action CLEAR
# - added some error handling
# 2015/06/22 initial version
if (len(inStr)>0 and inStr=='[' and inStr[-1]==']'):
tmpList = inStr[1:-1].split() #splits space-separated lists,
tmpList = inStr.split("\n") #splits for Windows or Linux
for item in tmpList:
item = item.rstrip(); #removes any Windows "\r"
Script ADD ldap failover server, or SET primary ldap server (which clears failover servers)
NOTE: This applies only for stand-alone LDAP server configurations (not for federated repositories)!
Usage: wsadmin.sh -f ldapFailover_SecDom.py [SET|ADD] <ldap_host> <ldap_port> [<security_domain>]
wsadmin.sh -f ldapFailover_SecDom.py SHOW [<security_domain>]
If <security_domain> is not specified, the Global Security ldap server configuration is updated.
Example: ./wsadmin.sh -f ldapFailover_SecDom.py ADD munvm42.munich.de.ibm.com 389 myownsecdomain
if len(sys.argv) < 1:
action = sys.argv
secDom = None
if (action == "ADD" or action == "SET"):
if len(sys.argv) < 3 or len(sys.argv) > 4:
ldapServer = sys.argv
ldapPort = sys.argv
if len(sys.argv) > 3:
secDom = sys.argv
Attrs2 = [["hosts", [[["host", ldapServer], ["port", ldapPort]]]]]
elif (action == "SHOW"):
if len(sys.argv) > 2:
if len(sys.argv) > 1:
secDom = sys.argv
mylist = wsadminToList(AdminConfig.list("LDAPUserRegistry"))
found = None
for elem in mylist:
if(secDom is None):
# Gloabl Security to be updated
searchString = "|security.xml#"
searchString = "securitydomains/" + secDom + "|"
if(elem.find(searchString) > -1):
if(action == "SHOW"):
failover_hosts_RAW = AdminConfig.showAttribute(elem, 'hosts')
failover_hosts = failover_hosts_RAW[1:-1].split(" ")
for fh in failover_hosts:
#print "all attrs:", AdminConfig.showall(fh)
if(index == 0):
print "primary server: %s:%s" % (AdminConfig.showAttribute(fh,"host"), AdminConfig.showAttribute(fh,"port"))
print "failover server: %s:%s" % (AdminConfig.showAttribute(fh,"host"), AdminConfig.showAttribute(fh,"port"))
index = index + 1
found = elem
if(found is None):
print "Error: Specified SecurityDomain cannot be found!"
if(action == "SET"):
if(action == "ADD" or action == "SET"):
AdminConfig.modify(found, Attrs2 )
print "You may want to view the following configuration file to verify the changes:"
if(secDom is None):
print " <Dmgr-Profile>/config/cells/<DmgrCell>/security.xml"
print " <Dmgr-Profile>/config/waspolicies/default/securitydomains/<SecurityDomain>/domain-security.xml"
The following example shows how the script can be executed:
wasadm@munvm41:/WAS70/profiles/Dmgr01/bin> ./wsadmin.sh -f /share/matthes/cvsrepos/AVPHelper/ldapFailover_SecDom.py ADD munvm48.munich.de.ibm.com 389 myownsecdomain
I hope you find this script useful. And if it does not help you, take two of these and call me in the morning.