Security Directory Server proxy environment setup

A Security Directory Server proxy is a special type of IBM® Security Directory Server that provides request routing, load balancing, fail over, distributed authentication and support for distributed/membership groups and partitioning of containers.

Attention: IBM Security Verify Access customers who want to use the Security Directory Server proxy server must purchase a separate Security Directory Server entitlement. The version of Security Directory Server that is part of the Security Verify Access package does not allow IBM Security Verify Access customer-use of the Security Directory Server proxy server.

If you have the appropriate entitlement, see the proxy server instructions in the IBM Security Directory Server Administration Guide.

Then, return to this document for instructions about setting up the proxy server to work with IBM Security Verify Access.

Security Verify Access stores its metadata within a required suffix called secAuthority=Default. Metadata includes information that is used to track user and group status information specific to Security Verify Access. When you use a proxy, the secAuthority=Default object itself cannot be modified by using the proxy because the object at a proxy partition split point cannot be modified through the proxy. Therefore, Security Verify Access cannot be configured directly through the proxy because Security Verify Access must modify the secAuthority=Default object during configuration.

In a proxy environment, the administrator must decide on the back-end server that the secAuthority=Default subtree is hosted and set up that back-end server and the proxy partition information to reflect that topology. This example configures Server A to host the secAuthority=Default subtree.

Data under a proxy partition split point (for example, o=ibm,c=us) is hashed to determine which back-end server has the subtree. In this example, Proxy is configured to hash RDN values immediately after o=ibm,c=us among two servers. This example also means the RDN values more than 1 away from o=ibm,c=us will map to the same server as values immediately after o=ibm,c=us. For this reason, it is more advantageous to configure the proxy with a single partition for the secAuthority=Default suffix.

If you want to distribute the Security Verify Access metadata within the secAuthority=Default suffix among multiple back-end servers, it is best to split the partition below the cn=Users,secAuthority=Default container. Entries are made on behalf of each user who is defined, below the cn=Users,secAuthority=Default container and therefore splitting this user information can help distribute the data more evenly across the back-end servers. This example does not distribute the data but instead maintain the entire secAuthority=Default subtree within Server A.