Contents Index Encrypting client/server communications over TCP/IP Using the SPX protocol

ASA Database Administration Guide
  Client/Server Communications
    Using the TCP/IP protocol

Connecting using an LDAP server


You can specify a central LDAP server to keep track of all servers in an enterprise if you are operating on a Windows (except CE and Win64), Unix or NetWare platform. When the database server registers itself with an LDAP server, clients can query the LDAP server and find the server they are looking for regardless of whether they are on a WAN or LAN, or going through firewalls. They do not need to specify an IP address (HOST=) either. The Server Location utility [dblocate] can use the LDAP server to find other such servers as well.

LDAP is only used with TCP/IP, and only on network servers.

To enable this feature, a file containing information on how to find and connect to the LDAP server must be created on both the server machine and on each client machine. By default the name of this file is asaldap.ini, but it is configurable. If this file doesn't exist, LDAP support is silently disabled.

The file must be located in the same directory as the ASA executables (for example, %asany%\win32 on Windows) unless a full path is specified with the LDAP parameter. The file must be in the following format:

[LDAP]
server=<machine running LDAP server>
port=<port number of LDAP server>
basedn=<Base DN>
authdn=<Authentication DN>
password=<password for authdn>
search_timeout=<age of timestamps to be ignored>
update_timeout=<frequency of timestamp updates>

server    the name or IP address of the machine running the LDAP server. Required on NetWare and Unix. If this entry is missing on Windows, Windows looks for an LDAP server running on the local domain controller.

port    the port number used by the LDAP server. The default is 389.

basedn    the domain name of the subtree where the Adaptive Server Anywhere entries are stored. This defaults to the root of the tree.

authdn    the authentication domain name. The domain name must specify an existing user object in the LDAP directory that has write access to the basedn. This is required for the server, and ignored on the client.

password    the password for authdn. This is required for the server, and ignored on the client.

search_timeout    the age of timestamps at which the timestamp will be ignored by the client and/or the Server Location [dblocate] utility. A value of 0 disables this option so that all entries are assumed to be current. Default is 600 seconds (10 minutes).

update_timeout    The frequency of timestamp updates in the LDAP directory. A value of 0 disables this option so that the server never updates the timestamp. The default is 120 seconds (2 minutes).

Example 

The following is a sample asaldap.ini file:

[LDAP]
server=ldapserver
basedn=dc=iAnywhere,dc=com
authdn=cn=ASAServer,ou=iAnywhereASA,dc=iAnywhere,dc=com
password=secret

The entries are stored in a subtree of the basedn called iAnywhereASA. This entry must be created before Adaptive Server Anywhere can use LDAP. To create the subtree, you can use the LDAPADD utility, supplying the following information:

dn: ou=iAnywhereASA,<basedn>
objectClass: organizationalUnit
objectClass: top
ou: iAnywhereASA

When the server starts up, it checks for an existing entry with the same name in the LDAP file. If one is found, it is replaced if either

If neither of these is true, then there is another server running with the same name as the one attempting to start, and startup fails.

To ensure that entries in LDAP are up-to-date, the server updates a timestamp field in the LDAP entry every 2 minutes. If an entry's timestamp is older than 10 minutes, clients ignore the LDAP entry. Both of these values are configurable.

On the client, the LDAP directory is searched before doing any broadcasting, so if the server is found, no broadcasts are sent. The LDAP search is very fast, so if it fails, there is no discernible delay.

The Server Location utility [dblocate] also uses LDAP - all servers listed in LDAP are added to the list of servers returned. This allows the Server Location utility [dblocate] to list servers that wouldn't be returned normally, for example, those which broadcasts wouldn't reach. Entries with timestamps older than 10 minutes are not included.


Contents Index Encrypting client/server communications over TCP/IP Using the SPX protocol