The Proxy server

Edit online

The Proxy server is a special type of IBM® Security Directory Server that provides request routing, load balancing, fail over, distributed authentication and support for distributed/membership groups and partitioning of containers. Most of these functions are provided in a new backend, the proxy backend. IBM Security Directory Proxy Server does not have an RDBM backend and cannot take part in replication.

A directory proxy server sits at the front-end of a distributed directory and provides efficient routing of user requests thereby improving performance in certain situations, and providing a unified directory view to the client. It can also be used at the front-end of a server cluster for providing fail over and load balancing.

The proxy server routes read and write requests differently based on the configuration. Write requests for a single partition are directed to the single primary write server. Peer servers are not used to avoid conflicts. Read requests are routed in a round robin manner to balance the load. However, if high consistency is enabled read requests are routed to the primary write server.

The proxy server also provides support for ACL's to be defined based on groups defined on a different partition, and support for partitioning of flat namespaces. The proxy server can also be used as an LDAP-aware load balancer.

The proxy server is configured with connection information to connect to each of the backend servers for which it is proxying. The connection information comprises of host address, port number, bind DN, credentials and a connection pool size. Each of the back-end servers is configured with the DN and credentials that the proxy server uses to connect to it. The DN must be a member of the global admin group, local admin group with dirData authority, or the primary administrator.

Before deploying a proxy server, you must verify that all the operations required in your environment are supported. For more information, see OIDs for supported and enabled capabilities , OIDs for extended operations , and OIDs for controls
Note: If you specify an administrative control for any operation on proxy, the proxy server will propagate the administrative control to the backend server.
The proxy server routes new requests targeting a backend server only through a free backend connection. If there are no free backend connections available, Proxy will temporarily suspend reading requests from clients. Proxy will resume reading from clients only when the backend connection becomes free. Also, if there are pending requests from a client to a backend, any new request from the client will be routed through the same backend connection used by earlier requests.
Note: The ibm-slapdProxyMaxPendingOpsPerClient attribute included in the ibm-slapdProxyBackendServer objectclass can be used to configure the threshold limit for pending requests from a client connection in a backend connection. On reaching this threshold limit, requests from the client connection will not be read until the pending requests in the backend connection reduces to a value below the specified threshold limit. If this attribute is not specified, the maximum pending client operations will default to 5.
Finally, the proxy server is configured with its own schema. You need to ensure that the proxy server is configured with the same schema as the back-end servers for which it is proxying. The proxy server must also be configured with partition information.
Note: The server uses the same default configuration file whether it is configured as a directory server or a proxy server. However, when the server is configured as a proxy server, the configuration settings for the features that the proxy server does not support are ignored. Given below is a list of entries in the configuration file that are ignored by the proxy server:
  • cn=Event Notification, cn=Configuration
  • cn=Persistent Search, cn=Configuration
  • cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
  • cn=Replication, cn=configuration
  • cn=Bulkload, cn=Log Management, cn=Configuration
  • cn=DB2CLI, cn=Log Management, cn=Configuration
For the entry “cn=Front End, cn=configuration”, environment variables set under this entry will be supported by proxy. The environment variables supported by the proxy server include the following variables:
Table 1. Environment variables supported by proxy server
Variable Description
PROXY_CACHE_GAG_PW Specifies if password caching is enabled or disabled. The proxy server has the ability to locally cache the passwords of global administrators. If password policy is enabled, caching of the Global Admin Group Member passwords is disabled. If password policy is disabled, the caching of Global Admin Group Members is enabled. PROXY_CACHE_GAG_PW environment variable can override this default behavior. PROXY_CACHE_GAG_PW set to YES will enable password caching. PROXY_CACHE_GAG_PW set to any other value will disable password caching. When the environment variable is unset the default behavior is governed by the password policy setting.
PROXY_GLOBAL_GROUP_PERIOD Specifies the interval after which the proxy interval thread wakes up. The default value for this variable is 30 seconds.
PROXY_USE_SINGLE_SENDER Specifies if a single sender thread is used for the operations. By default this is false.
PROXY_RECONNECT_TIME Specifies the interval after which the proxy tries to reconnect to a backend server that has gone down. By default this is 5 seconds.
LDAP_LIB_WRITE_TIMEOUT Specifies the time (in seconds) to wait for a socket to be write ready
FLOW_CONTROL_SLEEP_TIME In Flow control, when there are no free backend connections available, the proxy server temporarily suspends reading from socket. It then checks periodically to see if there is a free backend connection that became available. The frequency with which this check is done is determined by the environment variable FLOW_CONTROL_SLEEP_TIME. This must be set to an integer value and will specify in milliseconds the frequency with which the check is done by the proxy. If the environment variable is not set, it defaults to 5.
The proxy server supports some features of Security Directory Server while at the same time there are some features that are not supported by proxy. The list of features that are supported by the proxy server are given below:
  • Log access extended operations.
  • Dynamic configuration of the supported attributes
  • Server start stop
  • TLS
  • Unbind of a bound dn
  • Dynamic trace
  • Attribute type extended operation
  • User type extended operation
  • Auditing of source ip control
  • Server administration control
  • Entry check sum
  • Entry uuid
  • Filter acls
  • Admin group delegation
  • Denial of service prevention
  • Admin server auditing
  • Dynamic groups
  • Monitor operation counts
  • Monitor logging counts
  • Connection monitor active workers
  • Monitor tracing
  • SSL Fips mode
  • Modify dn as long as the entry rename does not move the entry across partitions.
  • Multiple instances
  • AES password encryption
  • Admin password policy
  • Locate entry extended operation
  • Resume role extended operation
  • ldap get file
  • Limit number of attribute values
  • Audit performance - Performance auditing is supported for proxy. The following performance info fields for each audit record are valid for proxy. The RDBM lock wait time will always be 0 for a proxy server:
    • Operation response time
    • Time spent on work Q
    • Client I/O time
  • Digest MD-5 Binds
  • Admin roles
  • Preoperation plugins
  • Global Admin Group
  • Paged and Sorted Searches
  • ibm-allmembers search
  • Transactions
    Note: Transactions are supported but only if all the entries that are part of the transaction request reside on a single directory server.
The list of features not supported by the proxy server are given below:
  • Event notification
  • Replication management extended operations
  • Group evaluation extended operation
  • Account Status extended operation
  • Subtree delete
  • Proxy authorization control
  • Group authorization control
  • Omit group Referential integrity
  • Unique Attributes
  • Effective password policy
  • Online backup extended operation
  • Password prebind extended operation
  • Password post bind extended operation
  • Post Operation plugins
  • Null based search