Tuesday, February 3, 2015

OpenAM Policy Configuration - HA Issue

When attempting to configure Policy Configuration (Access Control > Realm > Services > Policy Configuration) for High-Availability,  only "Primary LDAP Server" is available.

Strange isn't it?

Nevertheless, based on quick memory of how HA is configured for Data Store (Access Control > Realm > Data Stores > Datastore), I added the secondary LDAP server hostname and port number into the 2nd line of Primary LDAP Server.

Bomb! OpenAM debug log complained of "failed to get LDAP server name. If you enter more than one server name in the policy config service's Primary LDAP Server field, please make sure the ldap server name is preceded with the local server name".

So the configurations allowed are:
1. All OpenAM nodes hit the same OpenDJ server (no load-balance; no HA)
2. Each OpenAM node to hit a dedicated OpenDJ server (load-balanced, but still no HA)

Should we have a LB in front of a set of OpenDJ servers, with MMR configured, and all OpenAM nodes shall hit the LB? Maybe that's the only workaround as of now.

By the way, I share the same pain as this bugster - Consistency for LDAP configuration across OpenAM.