LDAP supports up to five redundant (backup) servers, as shown in Figure: LDAP and TLS redundancy and the configuration examples below. Depending on the timeout and retry configurations, if an LDAP server is determined to be out of service or operationally down, SR OS switches to the redundant servers. SR OS selects the LDAP server with the next largest configured server index.
Configuration of Server-1:
A*:SwSim14>config>system>security>ldap# info
public-key-authentication
server 1 create
address 1.1.1.1
ldap-server ‟active-server”
tls-profile ‟server-1-profile”
A*:SwSim14>config>system>security>tls# info
client-tls-profile ‟server-1-profile” create
cipher-list ‟to-active-server”
trust-anchor-profile ‟server-1-ca”
no shutdown
exit
Configuration of Server-5 (backup):
A*:SwSim14>config>system>security>ldap# info
public-key-authentication
server 5 create
address 5.5.5.1
ldap-server ‟backup-server-5”
tls-profile ‟server-5-profile”
A*:SwSim14>config>system>security>tls# info
client-tls-profile ‟server-5-profile” create
cipher-list ‟to-backup-server-5”
trust-anchor-profile ‟server-5-ca”
no shutdown
exit
Each LDAP server can have its own TLS profile, each of which can have its own configuration of trust-anchor and cipher-list. For security reasons, the LDAP servers may be in different geographical areas and, therefore, each are assigned their own server certificate and trust anchor. The design is open to allow the user to mix and match all components.