Enabling LDAP lookups to determine a user's Traveler server
HCL SafeLinx manages incoming connection requests from Traveler clients, directing the request to an available Traveler server. With SafeLinx, you can configure the HTTP access service to connect users to a Traveler server specified by an attribute in the user's LDAP record.
Before you begin
About this task
IBM® Traveler clients use the SafeLinx Clientless HTTP access service to establish a secure connection to a Traveler server. . The first time that a user attempts to access Traveler, the incoming connection request is processed by the SafeLinx Server. The SafeLinx Server routes the request to an available Traveler server or high-availability server pool. After it establishes the connection, the SafeLinx Server saves the information about the Traveler server assignment in the user's SafeLinx account. The saved information ensures that future connection attempts from the same user are directed to the same server, unless you modify the assignment in the SafeLinx Administrator.
In networks that host multiple Traveler server
pools, each pool has access to a subset of the deployed Traveler servers. Individual pools might not
have access to a specific Traveler server. To guide the SafeLinx Server in making Traveler server
assignments, enable the HTTP access service to look up a designated attribute from user's LDAP
records.
The attribute value can identify a Traveler server or server pool in several ways. It might identify
a resource by its URL, for example, https://traveler01.west.renovations.com; it
might contain the distinguished name (DN) of the resource, for example,
CN=Traveler1,OU=WEST,O=Renovations,C=com
; or it might reference some part of a URL
or DN, for example, WEST
.
To enable SafeLinx to query the LDAP server to determine a user's Traveler server, assign a value for the Server/Pool assignment attribute to query. After lookups are enabled, any time that the HTTP access service detects an inbound Traveler request from a first-time user, it queries the directory for the Traveler assignment. Based on the information that it retrieves from the directory, SafeLinx forwards the incoming connection to either a stand-alone Traveler server or a server within a Traveler high-availability pool.
The HTTP access service queries the directory for first-time users only. For users who have SafeLinx accounts that specify a Traveler server assignment, the existing assignment is reused, and no directory query is sent.
Complete the following steps to enable the HTTP access service to look up users' Traveler server assignments from the LDAP directory:Procedure
- From SafeLinx Administrator, right-click the HTTP access service that you want to configure and click Properties to open the properties pages for the service.
- Open the IBM Mobility page.
- Select Enable Traveler integration if it is not already enabled.
-
In the field Server/Pool assignment attribute to query, type the name of
the attribute that your LDAP directory uses to store information that identifies the Traveler server
or server pool.
To retrieve the DNs of the available Traveler pools, type the following command from the SafeLinx Server:
lswg -s hcl-wlServerPoolFor example, if your organization supports multiple geographic regions, the directory entry for each user might include an OU that serves to designate the region where the user is located, such as
OU: ou=WEST,o=renovations,c=com
. For each geographic region, there is a separate Traveler server pool that supports the users in that region. Each server pool is assigned a CN that designates its region, such asCN="WEST"
.To ensure that new users are assigned to the correct server pool, you could specify the OU value in the Server/Pool assignment attribute to query. Then, when SafeLinx queries the directory to determine a user's Traveler server, it looks for a Traveler resource that includes the value of the user's OU attribute.
- Click OK to save your changes.
Results
- Principal user account
- Active application server URL
- Application server pool
The next time that the user connects, SafeLinx re-creates the account, if necessary, and establishes a new pool assignment automatically.