Integrating with LDAP server clusters
Cloud Pak System Software can integrate with clusters of Lightweight Directory Access Protocol (LDAP) servers. This topic describes the specific usage scenarios that are supported.
Cloud Pak System Software uses
an LDAP provider URL attribute to specify the end point of an LDAP
server cluster. Using this end point, multiple LDAP servers in an
LDAP server cluster are visible to Cloud Pak System Software at
one logical access point, which is either one host name or one IP
address. When using the LDAPS (SSL) protocol, Cloud Pak System Software imports
a single X.509 certificate from an LDAP server cluster.
Cloud Pak System Software can
integrate with the following four LDAP server cluster and X.509 certificate
configurations:
- In a highly available LDAP server cluster environment, a primary LDAP server and a secondary backup LDAP server share a common, floating host name and IP address and a single X.509 certificate.
- LDAP load balancers terminate LDAP SSL connections so that Cloud Pak System Software has access to a single load balancer host name, IP address, and X.509 certificate.
- LDAP load balancers pass LDAP SSL connections to multiple LDAP servers, where LDAP servers either have their own X.509 certificates or share a common X.509 certificate.
- A DNS server resolves a common LDAP host name to one of multiple LDAP server host names and IP addresses, so that LDAP servers have their own X.509 certificates or share a common X.509 certificate.
In the last two scenarios, LDAP servers have their own
X.509 certificates and are supported under the following two conditions:
- The LDAP server X.509 certificates have a common issuer.
- The LDAP servers are configured to have a X.509 certificate chain that includes a common issuer X.509 certificate.