-
Title
Foglight did not pick up the secondary LDAP when there was a failure on the primary LDAP server -
Description
Customer's LDAP (primary server) went down and the secondary (which was up) did not allow people to log in until the issue was fixed with the primary. Foglight should have allowed the failover between the LDAP servers.
The following error message was found:
2011-11-17 00:00:00.512 WARN [RemoteAlarmAccessor-1-[local]-Time-3]
com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule -
Error connecting to LDAP server: ldaps://LDAPserver:636
javax.naming.CommunicationException: LDAPserver:636
[Root exception is java.net.ConnectException: Connection refused]
==> Caused by: java.net.ConnectException: Connection refused -
Resolution
Foglight does allow failover of LDAP. We have tested in-house on FMS 5.6.2 / FMS 5.5.8, and have seen the failover work successfully (unless total failure of LDAP servers occurred).
Senarios:1) Start the FMS with 2 valid LDAP servers to connect to, one as primary, one as secondary.
2) While the FMS is up and running, make the primary LDAP unavailable.
3) The LDAP user is still able to log in via authenticating with the second LDAP.If you still have a failure, the scenario that you experienced must have been different (both LDAP down, complete network problem, something else that was environmental) than only primary LDAP down.
FOR THIS EXAMPLE PROVIDED BY CUSTOMER: The issue was certification on the secondary LDAP.