Integrating with LDAP server clusters

Cloud Pak System Software can integrate with clusters of Lightweight Directory Access Protocol (LDAP) servers. This topic describes the specific usage scenarios that are supported.

Cloud Pak System Software uses an LDAP provider URL attribute to specify the end point of an LDAP server cluster. Using this end point, multiple LDAP servers in an LDAP server cluster are visible to Cloud Pak System Software at one logical access point, which is either one host name or one IP address. When using the LDAPS (SSL) protocol, Cloud Pak System Software imports a single X.509 certificate from an LDAP server cluster.
Cloud Pak System Software can integrate with the following four LDAP server cluster and X.509 certificate configurations:
  • In a highly available LDAP server cluster environment, a primary LDAP server and a secondary backup LDAP server share a common, floating host name and IP address and a single X.509 certificate.
  • LDAP load balancers terminate LDAP SSL connections so that Cloud Pak System Software has access to a single load balancer host name, IP address, and X.509 certificate.
  • LDAP load balancers pass LDAP SSL connections to multiple LDAP servers, where LDAP servers either have their own X.509 certificates or share a common X.509 certificate.
  • A DNS server resolves a common LDAP host name to one of multiple LDAP server host names and IP addresses, so that LDAP servers have their own X.509 certificates or share a common X.509 certificate.
In the last two scenarios, LDAP servers have their own X.509 certificates and are supported under the following two conditions:
  • The LDAP server X.509 certificates have a common issuer.
  • The LDAP servers are configured to have a X.509 certificate chain that includes a common issuer X.509 certificate.
When importing an LDAP server cluster X.509 certificate with a chain of certificates, you import the common issuer certificate, which in turn configures Cloud Pak System Software to trust all LDAP servers in the cluster.