F5 Load Balancers and Sun Directory Servers

An IP load balancer, is often used to load balance Directory Servers. (Although far better and feature rich load balancing can be achieved with Sun Java System Directory Proxy Server).
If you choose to use a load balancer such as a BIG-IP F5, then please configure the F5 as follows:
Create an LDAP monitor that will execute a bind against the Directory Server. This is preferable to a standard TCP health check because:

  1. A simple TCP health check does not perform as complete an LDAP operation as a BIND
  2. The LDAP server does not know how to handle the simple TCP health check properly and thus in your Sun Directory Server logs you will likely see 4164 or 4166 errors.
  3. Complete the simple F5 configuration web form with relevant details from your Directory Server.

    1. ‘user name’: enter an LDAP user that has no rights to important data in the Directory, ideally an ACI that only gives privileges to the use and nothing else. This ensures that if anyone compromises these credentials they cannot access other data. Sample ACI that only allows the F5 user to modify their own password.
      aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
      userpassword self modification"; allow (write) userdn = "ldap:///self";)
    2. ‘password’: the password for the user
    3. ‘Base’: base DN
    4. ‘Filter;: if your user is in it’s own OU no need to filter anything
    5. ‘Security’: select yes if you wish to test LDAPS (LDAP over SSL)


Life begins when you buy a minivan

There is an old joke that goes something like this:

Several priests and a rabbi are debating when life begins.
The priests vigorously argue conception, first trimester and birth. The rabbi
remains silent throughout. After heated debate they turn to him and ask: “Rabbi you are so silent,
pray tell us when does your religion declare that life begins?” To which the
rabbi simply answers : “Life begins when the children move out and the dog is

The saga began a year ago when our daughter and her two
friends began carpooling to school. My wife first entertained the idea of a
minivan and I scoffed at it demonstrating how three car seats fit very very
(very) snuggly into the rear seat of the Volvo wagon. When my wife made her first
attempt at buckling the middle seatbelt she broke a newly manicured fingernail.

I spent the next nine months driving carpool. 

In a month my son and his pal will join the carpool to
school. A friend of mine in a similar situation told me that Volvo station wagons
can fit an extra (rear-facing) bench seat, in the trunk. When I floated that
idea at home, my wife gingerly reminded me of her broken fingernail.

So she executed a typical Silicon Valley Craigslist search
and found a Honda Odyssey 2006 with low mileage, an extended warranty and sale
price below KellyBlueBook. She went to see the car and bought it.

Here one sees the benefit of marriage. Were it up to me, I
might have tried the rear-facing bench seat, given up in futility and then
kicked many tires before deciding which to buy letting a great deal slip away.

I resisted marriage – futile. I tried to delay having kids –
no good. I suggested we wait a little while longer before buying a home –
useless. I thought we did not need a mini-van -wrong!

Now that we have purchased a mini-van it appears we have
finally landed. My daughter can go to school and no longer lament that we are
the only family that does not have a mini-van.

more on HR-XML, Identity Management and Federated SingleSignOn

Following up on my meeting with Sara Moss, I attended a call today with some folks who offer solutions for the staffing industry. The attendees on today’s call offer solutions that pre-screen candidates during the hiring process – background checks ‘n all. The goal of today’s call was to define, for the HR-XML consortium, standards and methods for job applicants to single-sign-on to the pre-screening tool and the potential employer’s job application website.

Some ideas were tossed out, such as SAML, which of course Sun’s Federation Manager supports.

I will continue to participate in the HR-XML initiative. It could be interesting to extend Sun’s Identity Manager to include pre-screening requests and approvals, prior to the employee’s first day on the job. Combine that with Federation Manager for federated identity and we could have a neat solution…..

Technorati Tags: , , ,

Integrating Sun Java System Identity Manager and Access Manager

A year ago I collaborated with some fine fellows from Sun to document the integration steps of Access Manager and Identity Manager.
Another excellent Sun employee, Steffo Weber, has provided content that allowed us to update the document for versions 7.0 of Access Manager and Identity Manager and a chapter on Identity Manager SPE.
The document was edited and is available here