What IP load balancers in front of Directory Proxy Server?

In the highly available topology design, two Directory Proxy Servers sit behind IP load balancers.  What IP load balancers are folks using for this?
We happen to have F5 load balancers, but I was a bit disappointed to learn that these proxy the connections, and so the initial LDAP client IP address is swollowed up by the F5.  This seems to rob a lot of usefulness in Directory Proxy / Directory Server, not to mention make the DP / DS logs less helpful.  Anyway around this?
Thanks,
Amos

Hello,
Many customers use F5.
However, there is no mechanims at the LDAP protocol level to carry initial client IP address down to the ultimate server
-Sylvain
When closing a thread as answered remember to mark the correct and helpful posts to make it easier for others to find them

Similar Messages

  • ODSEE 11g - DPS Directory proxy server suddenly increase load average

    Hi all
    Recently upgraded from directory server 5.2 to ODSEE 11g, one directory proxy configure to one master directory server and one consumer directory server.
    all the three instances are in the same sparc t3 machine.
    Directory proxy server alerts server load average on the machine is above 6.00 normally it is 0.66. I'm not sure what is causing the sudden burst in the load ? the traffic is normal there is no abnormal requests coming to the server. proxy performance degrades over the span of 24 hours ....and Once i restart the proxy services (dpsadm restart) all load averages comes to normal and directory proxy runs normal for the next two - three weeks. The same cycle continues ...I'm not sure what was causing the sudden load increase.
    I increased the JVM heap size from 1GB to 2 GB still continue to have the problem ..did anyone else experience similar problem. How did you fix it....
    Any input or advise in the right direction is much appreciated.
    Thank you.

    server load I'm referring to "prstat command" - server load average suddenly shoot up from 0.66 to 6.00 ie) the CPU usage. Alert is from our server monitoring tool not related to directory proxy.
    Clients report connections time out (etime goes from etime=0 ..2..4.....) over 24 hours i can see the etime increases and eventually the proxy server get hung and non responsive. Once I restart all the performance back to normal at-least for another two weeks.
    I suspect there might be a memory leak or JVM Garbage collection issue -- any expert input how to figure this out will help.
    Here is the JVM args in the proxy server "Xms2g -Xmx2g -Xmn1g -XX:SurvivorRatio=4 -XX:+UseParNewGC -XX:+UseConcMarkSweepGC"
    Here is a jstat during the problem
    ./jstat -gcutil -t 25365 2s 30
    Timestamp S0 S1 E O P YGC YGCT FGC FGCT GCT
    982106.4 0.00 26.17 4.26 92.25 59.52 523 60.979 689 1002.587 1063.566
    982108.4 0.00 26.17 4.40 92.25 59.52 523 60.979 689 1002.587 1063.566
    982110.4 0.00 26.17 4.80 92.25 59.52 523 60.979 689 1002.587 1063.566
    982112.4 0.00 26.17 5.10 92.25 59.52 523 60.979 690 1002.719 1063.698
    982114.4 0.00 26.17 5.15 92.25 59.52 523 60.979 690 1002.719 1063.698
    982116.4 0.00 26.17 5.32 92.25 59.52 523 60.979 691 1003.009 1063.988
    982118.4 0.00 26.17 5.72 92.25 59.52 523 60.979 691 1003.009 1063.988
    982120.4 0.00 26.17 5.80 92.25 59.52 523 60.979 691 1003.009 1063.988
    982122.4 0.00 26.17 5.93 92.25 59.52 523 60.979 692 1003.168 1064.146
    982124.4 0.00 26.17 6.03 92.25 59.52 523 60.979 692 1003.168 1064.146
    982126.4 0.00 26.17 6.15 92.25 59.52 523 60.979 693 1003.481 1064.460
    982128.5 0.00 26.17 6.18 92.25 59.52 523 60.979 693 1003.481 1064.460
    982130.5 0.00 26.17 6.25 92.25 59.52 523 60.979 693 1003.481 1064.460
    982132.5 0.00 26.17 6.29 92.25 59.52 523 60.979 694 1003.656 1064.635
    982134.5 0.00 26.17 6.31 92.25 59.52 523 60.979 694 1003.656 1064.635
    982136.5 0.00 26.17 6.36 92.25 59.52 523 60.979 695 1003.988 1064.967
    982138.5 0.00 26.17 6.89 92.25 59.52 523 60.979 695 1003.988 1064.967
    982140.5 0.00 26.17 6.99 92.25 59.52 523 60.979 695 1003.988 1064.967
    982142.5 0.00 26.17 7.08 92.25 59.52 523 60.979 696 1004.187 1065.165
    982144.5 0.00 26.17 7.31 92.25 59.52 523 60.979 696 1004.187 1065.165
    982146.5 0.00 26.17 7.82 92.25 59.52 523 60.979 697 1004.553 1065.531
    982148.5 0.00 26.17 7.92 92.25 59.52 523 60.979 697 1004.553 1065.531
    982150.5 0.00 26.17 8.01 92.25 59.52 523 60.979 697 1004.553 1065.531
    982152.5 0.00 26.17 8.17 92.25 59.52 523 60.979 698 1004.786 1065.764
    982154.5 0.00 26.17 8.26 92.25 59.52 523 60.979 698 1004.786 1065.764
    982156.5 0.00 26.17 8.38 92.25 59.52 523 60.979 699 1005.174 1066.153
    982158.5 0.00 26.17 8.74 92.25 59.52 523 60.979 699 1005.174 1066.153
    982160.5 0.00 26.17 8.88 92.25 59.52 523 60.979 699 1005.174 1066.153
    982162.5 0.00 26.17 8.96 92.25 59.52 523 60.979 700 1005.433 1066.412
    982164.5 0.00 26.17 9.09 92.25 59.52 523 60.979 700 1005.433 1066.412
    jstat after the restart
    ./jstat -gcutil -t 10084 2s 30
    Timestamp S0 S1 E O P YGC YGCT FGC FGCT GCT
    40312.6 0.00 25.13 88.49 1.98 63.68 21 2.366 0 0.000 2.366
    40314.6 0.00 25.13 88.58 1.98 63.68 21 2.366 0 0.000 2.366
    40316.6 0.00 25.13 88.71 1.98 63.68 21 2.366 0 0.000 2.366
    40318.6 0.00 25.13 88.99 1.98 63.68 21 2.366 0 0.000 2.366
    40320.6 0.00 25.13 89.31 1.98 63.68 21 2.366 0 0.000 2.366
    40322.6 0.00 25.13 89.36 1.98 63.68 21 2.366 0 0.000 2.366
    40324.6 0.00 25.13 89.42 1.98 63.68 21 2.366 0 0.000 2.366
    40326.6 0.00 25.13 89.53 1.98 63.68 21 2.366 0 0.000 2.366
    40328.6 0.00 25.13 89.60 1.98 63.68 21 2.366 0 0.000 2.366
    40330.6 0.00 25.13 89.72 1.98 63.68 21 2.366 0 0.000 2.366
    40332.6 0.00 25.13 90.11 1.98 63.68 21 2.366 0 0.000 2.366
    40334.6 0.00 25.13 90.56 1.98 63.68 21 2.366 0 0.000 2.366
    40336.6 0.00 25.13 90.67 1.98 63.68 21 2.366 0 0.000 2.366
    40338.6 0.00 25.13 90.75 1.98 63.68 21 2.366 0 0.000 2.366
    40340.6 0.00 25.13 91.09 1.98 63.68 21 2.366 0 0.000 2.366
    40342.6 0.00 25.13 91.36 1.98 63.68 21 2.366 0 0.000 2.366
    40344.6 0.00 25.13 91.47 1.98 63.68 21 2.366 0 0.000 2.366
    40346.6 0.00 25.13 91.53 1.98 63.68 21 2.366 0 0.000 2.366
    40348.7 0.00 25.13 91.64 1.98 63.68 21 2.366 0 0.000 2.366
    40350.7 0.00 25.13 91.77 1.98 63.68 21 2.366 0 0.000 2.366
    40352.7 0.00 25.13 91.87 1.98 63.68 21 2.366 0 0.000 2.366
    40354.7 0.00 25.13 91.95 1.98 63.68 21 2.366 0 0.000 2.366
    40356.7 0.00 25.13 92.11 1.98 63.68 21 2.366 0 0.000 2.366
    40358.7 0.00 25.13 92.19 1.98 63.68 21 2.366 0 0.000 2.366
    40360.7 0.00 25.13 92.24 1.98 63.68 21 2.366 0 0.000 2.366
    40362.7 0.00 25.13 92.85 1.98 63.68 21 2.366 0 0.000 2.366
    40364.7 0.00 25.13 93.19 1.98 63.68 21 2.366 0 0.000 2.366
    40366.7 0.00 25.13 93.40 1.98 63.68 21 2.366 0 0.000 2.366
    40368.7 0.00 25.13 93.44 1.98 63.68 21 2.366 0 0.000 2.366
    40370.7 0.00 25.13 93.47 1.98 63.68 21 2.366 0 0.000 2.366
    Any one else had similar behavior. Any input to the right direction is highly appreciated.
    Thanks.

  • Question on Sun Directory Proxy Server 5.2.4

    Hello Guys,
    Is it a good idea to have DPS and DS on the same server? Did anyone run into any issues? We have four Sun DS servers four-way master replicated on Windows 2003 std. We are in the process of evaluating Sun Directory Proxy server to resolve single point of failure between our custom apps and LDAP servers. I would appreciate any insights on Sun DPS implementation on Windows 2003 Std.
    Thanks

    While it might not be too good an idea (you essentially want the DPS for load balancing AND failover, right? So why risk putting it on the same machine ;) ), it does work.
    I recently implemented DPS on Solaris, and things generally work fine. (The command line interface isn't too reliable though). If you are thinking of routing all your traffic over SSL (ie, Client---ssl--->DPS---ssl--->DS), make sure you apply the latest patch available for the DPS. The dps524.jar that comes with the default installer isn't what it used to be (JES 2005Q4), and will give you issues when configuring SSL for DPS. Apart from that, things are more or less a breeze.

  • Installing Sunone Directory Proxy server

    Hi all! I am in the process of installing sunone directory proxy server. also in the same machine i have directory server and administration server.
    For some reason directory poxy installation fails at the end.
    look at the log file all i can see is
    Admin Server refused to disclose its pid!
    can any one had this experience or share some thoughts.
    Thanks

    I'm Using standalone DPS installer. Here is what i see in installation log
    [5] stdout> executing dps52cfgUninstall::main
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid
    [5] stdout> Retry for: /admin-serv/tasks/Operation/Restart?op=getpid

  • Tuning directory proxy server parameters

    I need help to tune following parameters of Directory proxy server 5.2patch4.
    simultaneous operations per connection
    Total operations per connection
    Simultaneous connections to this group
    simultaneous connections per ip address.
    Before tuning these parameters, I wanted to know how can I find current usage of above parameters from directory server/directory proxy server. Right now there is no value set for these parameters.
    Is there any tool/command line utility or any other way to find current usage of these parameters?
    Any help will be appreciated. Thanks in advance.
    Thanks
    -Ashok

    I think the default is unlimited. You can use these
    params to tune your server.Thanks for response.
    How do I know the baseline to set these parameters? What tool/utility can I use on Proxy server/Directory server in order to find the baseline for these parameters.
    To make it more clear, how can I find from proxy server/DS server that how many currently simultaneous operations per connection are going on..
    how many total operations per connection are running..
    how many simultaneous connections to this group are running.
    how may simutaneous connections per ip address are running.
    Please let me know if you need further info.
    Thanks again.

  • Problem in installing Directory Proxy server

    Hi all! Recently downloaded the trial version of sun one directory proxy server. After installing the sun one DS 5.2 . I tried to install sun one proxy server..when it asks for configuration server information i have given the admin id and password ....
    but it gave me following error message
    "The given Administrator Id/password combination was not accepted by the
    Configuration Directory Server.
    The Sun ONE configuration directory administrator is the ID typically used to
    log in to the console."
    I did used the same id and password to login to console & i am able to log in.
    Please advice.

    Two quick hints.
    First off, instead of hitting <Enter> to accept the default for the username [admin], type "admin" (without the quotes) as if you were giving different credentials. There's a known issue during the installation where the default text doesn't work.
    Additionally, I had to change my admin password in the configuration directory to cleartext in order to get it to work. For some reason the password encryption during the bind was never successful. To do that:
    dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
    changetype: modify
    replace: userPassword
    userPassword: {CLEAR}password
    I have no idea if this addresses the problem itself or just a symptom, but it did allow me to install DPS. You might want to give it a shot.

  • Does directory proxy server 6.0 support access to ds5.1SP3

    Hi,
    Does anyone have experience with setting up a directory proxy server 6.0 as a frontend to directory server 5.1SP3 servers ?
    (where can I find a list of supported directory servers by the proxy ?)
    I would like to use the proxy as part of the migration to a new data centre.
    Thanks

    Yes Directory Proxy Server 6.0 works with DS 5.1SP3.
    DPS uses LDAPv3 protocol and works with most of the LDAPv3 compliant servers. It has been tested with Sun DS, Active Directory, OpenLDAP and OpenDS.
    Some specific feature may require the support of the Proxied Authorization Control (RFC 3829), but that's it.
    Regards,
    Ludovic.

  • Issue with binary attribute types through Directory Proxy Server 6.3.1

    I'm having problems with DPS 6.3.1.1 on Solaris 10 with binary attribute types. From most LDAP servers, requesting an attribute such as userCertificate would return userCertificate;binary without any issues. However, DPS seems to consider these two separate attributes. In order to see userCertificate;binary, I have to ask for it in that exact format. This obviously is causing trouble for many clients as they shouldn't care about the binary type as it's the same attribute.
    I've tried to correct this with a virtual data transformation (dpconf add-virtual-transformation 'PKI Tree' read add-attr-value userCertificate \${userCertificate\;binary}) but the end results are the same. Any ideas on how I can correct this one?
    Thanks in advance.

    Here is some complementary information:
    system (uname -a):
    SunOS xxx 5.10 Generic_142900-13 sun4u sparc SUNW,Sun-Fire-V440
    since patch 118666-26: update java 1.5.0 update 24
    we are experiencing the follwing problem:
    xxx$ ./dpadm start /opt/ldap/instances/mail/
    The Directory Proxy Server instance '/opt/ldap/instances/mail' failed to start after the waiting period.
    The Directory Proxy Server instance start has produced the following error output:
    Exception in thread "main" java.lang.NoSuchFieldError: strm
    at java.util.zip.Inflater.initIDs(Native Method)
    at java.util.zip.Inflater.<clinit>(Inflater.java:60)
    at java.util.zip.ZipFile.getInflater(ZipFile.java:375)
    at java.util.zip.ZipFile.getInputStream(ZipFile.java:320)
    at java.util.zip.ZipFile.getInputStream(ZipFile.java:286)
    at java.util.jar.JarFile.hasClassPathAttribute(JarFile.java:469)
    at java.util.jar.JavaUtilJarAccessImpl.jarFileHasClassPathAttribute(JavaUtilJarAccessImpl.java:21)
    at sun.misc.URLClassPath$JarLoader.getClassPath(URLClassPath.java:809)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:293)
    at sun.misc.URLClassPath.getResource(URLClassPath.java:160)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:192)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:300)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
    at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
    The Directory Proxy Server instance '/opt/ldap/instances/mail' is not running.
    We have tried to install patch 118666-27 (not recommended, but already available) which includes jdk 1.5.0 update 25 -> same problem
    When returning to jdk 1.5.0 update 20 the directory proxy server starts as normal

  • SUN ONE Directory proxy Server on NT Server

    I want to use the sun one directory proxy server on a NT Server as a LDAP Proxy Server to my customised database running on an AIX box. During the installation of the proxy server (called idar 5.0 SP1) it fails indicating that the "the server configuration directory may not be running".
    IWhat am i missing? Is the ldap proxy server dependent on SUN's directory server.

    Hi,
    u need to have a Directory Server for the installation of the Directory Proxy Server, but not essentially the Sun ONE Directory Server itself.
    regards,
    raj

  • Directory Proxy Server Public API

    Where to find Directory Proxy Server (6 or 7) public API?
    Thank you

    Well, DPS is mainly a LDAP proxy, so upon reception of a bind, it will forward it to a LDAP directory server that would compare the credentials with the standard userPassword attribute.
    DPS can be also used OOTB as a Virtual Directory to provide a LDAP view of non-LDAP data, e.g a SQL database: In that case, DPS implements natively the bind operation, that is, it retrieve the user password from the SQL db, then compare
    it with the credentials provided by the client. In that case, the user password can be retrieved from any SQL column.
    So to achieve this with a LDAP backend, a DPS bind plugin would have to get the user password from the target LDAP entry and do the comparison. A secured channel between DPS and the backend would be required to exchange such sensitive pieces of information. Technically, this would work only if you plan to use LDAP for authentication only (bind only), because the backend LDAP directory server would not consider user entries w/o userPassword attribute as regular accounts (with associated access rights).
    Could you explain where you requirement comes from?
    Thanks
    -Sylvain

  • Directory Proxy Server 5.2 and MS Active Directory

    Hi,
    The features of DPS are exactely what I'm looking for but the Directory Servers I would like to run it against are Microsoft Active Directory Domain Controllers...
    Did anyone tried this before ? Was it a success story ? ;-)
    Thanks for your input.

    I am very interest in this my self, since I have tried to follow the instruction at docs.sun.com and find it very poor. If you can answer the original question with some good doc would be great!!

  • Firefox 3.6 won't load properly because of the error "Proxy server refusing connections".

    I tried to download Firefox 3.6 but it wouldn't finish loading because of the message " Proxy server refusing connections". How do I over ride this problem? The last couple of days my firefox 3.5.2 has been crashing or locking up almost every time I opened it. It got so frustrating that I tried downloading 3.6 to see if it would work any better. No luck so far. Any help would be greatly appreciated. I run Windows 2000 XP.

    Go to Tools --> Options --> Advanced --> Network --> Settings and choose "Do not use Proxy" to see if that helps.

  • What do I do when it says "The proxy server is refusing connections, etc"?

    Att.net is my home page. I have long used Firefox. When I click on the att.net icon on my opening page, this message pops up:
    The proxy server is refusing connectons.
    Firefox is configured to use a proxy server that is refusing connections.
    * Check the proxy settings to make sure they are correct..
    * Contact your network administrator to make sure the proxy server is working.
    I have no idea what this means since I am not PC proficient. I have had to returen to Internet Explorer which is not as satisfactory as Firefox was.
    If a reply is sent, my only request is that it be kept simple.

    To: cor-el
    A thousand thanks for your help. The"No Proxy" check didn't work, so I fooled around with the other selections until "Use System Proxy Settings" did the job. I'm grateful.

  • My laptop wont load firefox, it keeps saying my proxy server could not connect firefox. Why is this, it was working earlier.

    Every time i try to open firefox my laptop tells me "The proxy server is refusing connection". This has never happened before. I updated my norton antivirus and firefox has not worked since.

    In Firefox 3.6.4 and later the default connection settings have been changed to "Use the system proxy settings".<br />
    You can find the connection settings in Tools > Options > Advanced : Network : Connection<br />
    If you do not need to use a proxy to connect to internet then select "No Proxy"
    See "Firefox connection settings":
    * [[Firefox cannot load websites but other programs can]]

  • AM in front or behind DPS (directory proxy server)?

    I have a DS 6.3 in multi-master running and will set up DPS 6.3 shortly, and plan to use opensso (AM 8 beta). In general using AM with DPS do people set up their systems whereby AM connects directly to the DS bypassing the DPS, or do they have AM go through the DPS to connect to the DS? Probably doesnt matter but I am looking for any known gotchas or recommendations. Thanks!

    Xoth wrote:
    I have a DS 6.3 in multi-master running and will set up DPS 6.3 shortly, and plan to use opensso (AM 8 beta). In general using AM with DPS do people set up their systems whereby AM connects directly to the DS bypassing the DPS, or do they have AM go through the DPS to connect to the DS? Probably doesnt matter but I am looking for any known gotchas or recommendations. Thanks!Are you referring to a DS for storing your AM configuration or your users?
    With FAM8, there is an embedded directory server (openDS) that you can use for storing your AM configuration data. I would use the embedded DS for your configuration data. If you decide to use an external DS (i.e. DS 6.3) for your AM configuration, I would point it directly at a LoadBalancer VIP that load balances 2 or more Master DS instances.
    As for user data, from an Access Manager perspective, I believe there to be no preference. Your DS architecture will dictate how users (including AM) access your user data. This could be (I recommend either of the first two options below, depending on whether or not DPS is used):
    - Point to a LB VIP that load-balances multiple DS instances
    - Point to a LB VIP that load-balances multiple DPS instances, which load-balance multiple DS instances
    - Point to a list of DPS or DS instances
    - etc.
    Hope this helps,
    Eric

Maybe you are looking for

  • Error occurred during initialization of VM Could not reserve enoughspace for code cache

    I receive this error in the ZENWSimport and Removal screen: Error occurred during initialization of VM Could not reserve enough space for code cache Server is a HP DL380G4, NWSBS SP5, 4 GB RAM. I think it's Java related, because iManager also stopped

  • Unable to create the bluetooth virtual COM port

    Hi all I install BS from Toshiba and it seems ok. Bt ir desn´t work. I see all the drivers installed, system devices, etc. No Toshiba BT ports can be seen. Local com ports only show modem port. Try to create a virtual port but get a message "unable t

  • BEx Analyzer 7.0 result column

    Hi Gurus I have a question regarding the BEx Analyzer 7.0. Hope you can help. My customer wants to use BEx Analyzer 7.0 but is not happy with the fact that the excel query result starts in column F instead of column A (like the old BEx Analyzer did.)

  • Regarding function module CUD0_GET_CONFIGURATION

    Is the function module CUD0_GET_CONFIGURATION obsolete in ECC 5.0 version. Can anyone tell me the replacement for this and also why this fn module is used? Thanks Sai

  • MATERIAL_UNIT_CONVERSION round down

    The qty on delivery is 31 EA and 1CS =12 EA for this item, so the qty. conversion would be 2.58 CS and because of the rounding down to the closest integer it should be 2 and not 3. Is it possible to round down the qty with FM MATERIAL_UNIT_CONVERSION