LDAP redundancy and TLS

LDAP supports up to five redundant (backup) servers, as shown in Figure: LDAP and TLS redundancy and the configuration examples below. Depending on the timeout and retry configurations, if an LDAP server is determined to be out of service or operationally down, SR OS switches to the redundant servers. SR OS selects the LDAP server with the next largest configured server index.

Figure: LDAP and TLS redundancy

Configuration of Server-1:

A*:SwSim14>config>system>security>ldap# info
    public-key-authentication
    server 1 create
        address 1.1.1.1
        ldap-server ‟active-server”
        tls-profile ‟server-1-profile”

A*:SwSim14>config>system>security>tls# info
    client-tls-profile ‟server-1-profile” create
        cipher-list ‟to-active-server”
        trust-anchor-profile ‟server-1-ca”
        no shutdown
    exit

Configuration of Server-5 (backup):

A*:SwSim14>config>system>security>ldap# info
    public-key-authentication
    server 5 create
        address 5.5.5.1
        ldap-server ‟backup-server-5”
        tls-profile ‟server-5-profile”

A*:SwSim14>config>system>security>tls# info
    client-tls-profile ‟server-5-profile” create
        cipher-list ‟to-backup-server-5”
        trust-anchor-profile ‟server-5-ca”
        no shutdown
    exit

Each LDAP server can have its own TLS profile, each of which can have its own configuration of trust-anchor and cipher-list. For security reasons, the LDAP servers may be in different geographical areas and, therefore, each are assigned their own server certificate and trust anchor. The design is open to allow the user to mix and match all components.