Adding a Failover LDAP Server to PGP Universal Server

Article:TECH201252  |  Created: 2012-12-31  |  Updated: 2013-01-15  |  Article URL http://www.symantec.com/docs/TECH201252
Article Type
Technical Solution


Issue



If you are using LDAP Directory Synchronization to enroll PGP Desktop users to PGP Universal Server, you may wish to add more than one LDAP server in order to provide redundancy.  By having a secondary LDAP Server configured in PGP Universal Server, you can continue to enroll users and associate users with groups using LDAP, even if your primary LDAP Server is unavailable.

Note that PGP Universal Server will always use only the primary LDAP server if it is available.

 


Solution



In PGP Universal Server administrative interface under the menu Consumers > Directory Synchronization you will see a list of LDAP Directories.  Click on the name of an existing LDAP Directory and you will see the LDAP Servers that PGP Universal Server uses for that directory.  To add an LDAP server, simply click on the "+" button and enter the hostname, port, protocol and priority of the new server.

If you have more than one LDAP Server listed, the server with priority 1 will be used all the time unless it cannot be contacted, in which case the server with priority 2 will be used.  When you use more than one LDAP server, priority has to be set.

In a cluster environment, the LDAP settings will replicate to the other cluster members except for the Priority setting.  You will need to set this on each cluster member and you can, if required, set different priorities on different cluster members.

It is recommended that you click on the "Test Connection" button for each server to check that the server can be reached by PGP Universal Server.

Note that client enrolment can take considerably longer when the priority 1 server is unreachable.  This is because PGP Universal Server will try the priority 1 LDAP server prior to trying the priority 2 server each time it tries to bind to LDAP.  Each failed attempt to bind to the priority 1 server takes between 3 and 20 seconds depending on the issue that is preventing the LDAP bind and there are about 5 such attempts in the course of enrolment.

When an LDAP server cannot be reached during client enrolment, PGP Universal Server will log the warning "ldap operation result: -1, Can't contact LDAP server" in the Client log.

Because the priority 2 server will only be used when the priority 1 server is unavailable, please be sure to check periodically that the priority 2 server is still available to PGP Universal Server.

 




Article URL http://www.symantec.com/docs/TECH201252


Terms of use for this information are found in Legal Notices