Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managing objects in a directory. The directory contains many types of entries, such as entries for users, groups, encryption certificates and other services on a network. LDAP server is a server that has a collection of information in some organized and hierarchical way and implements LDAP protocol to communicate with clients.
Besides the possibility to manage all this information, another function of LDAP is to provide authentication of a user. By sharing the authentication information it is possible to provide "single sign on" where one password for a user is shared between many services. This makes LDAP server a critical resource. Having multiple LDAP servers to ensure that the organization can access user data at the corporate directory at any time is one of the high availability common practice for a large IBM Connections deployment. The benefits of multiple LDAP servers setup include:
- High availability
If the LDAP server failed, the authentication mechanism of the IBM Connections systems cannot be performed. When multiple LDAP servers are set up in a cluster, you can provide the continue service by failed the failed LDAP server to one of the healthy one.
- Separating users
You can use multiple LDAP servers to fulfill the requirement of maintaining different sets of users, for example, users in corporate level and department level or application level information.
- Different schema
Another common usage of multiple LDAP servers is for adding users from a newly acquired company before the infrastructure is integrated. A separate LDAP server can be used for the users from the acquired company. In this case, you have to support authentication against different schemas.
You can configure IBM Connections to work with multiple LDAP servers and multiple contexts through the IBM WebSphere Application Server. When using multiple LDAP servers, note the following:
- LDAP servers store user's information, and users must only exist in one LDAP server (not multiple).
- The distinguished name (DN) of the base entry must be unique (the subtree name is unique) among the multiple LDAP servers.