Howto force Identity Server use local LDAP userstore rather than remote one in Clustered environment spanning GEO locations

  • 7021272
  • 31-Aug-2017
  • 06-Sep-2017

Environment

Access Manager setup to serve users worldwide with the following characteristics:

·         There are two data centers

·         Each data center has two identity servers all in the same cluster for total of 4 IDPs

·         Each data center has two eDirectory servers that are replicas of each other

·         One User Store defined in NAM with all 4 eDirectory servers listed

Administrators want users accessing the IDP in one data center talk to the local eDirectory servers in the same data center so they are not traversing the WAN link, but there's no way to control which LDAP server one talks to.

Situation

Upgrade to NAM 4.4 and define the LDAP replica servers to use DNS names rather than IP addresses (new feature in 4.4). With this in place, one can simply modify the local hosts file on IDP so that the DNS name resolves to the local LDAP server, or local load balancer VIP fronting the LDAP servers.