WebLogic Server: Reasons for LDAP Corruption and Ways to Avoid It
Applies To:
Oracle WebLogic Server - Version 9.2 and later
Information in this document applies to any platform.
***Checked for relevance on 21-Oct-2015***
Goal:
Why do LDAP files get corrupted?
What could be done to avoid LDAP file corruption?
Is there a way to send an alert or a notification when LDAP corruption occurs?
Solution:
-LDAP corruption usually occurs when the server instance is killed or shut down improperly. The admin server replicates LDAP data every 30 seconds. If the replication to the managed severs is unsuccessful for any reason, the admin server will keep logging messages every 30 seconds. Embedded LDAP is a file-based LDAP server, and therefore chances of corruption of files are higher when the server is killed or not shut down in a proper manner.
-To avoid LDAP corruption, do not update the configuration of a security provider while a backup of LDAP data is in progress. If a change is made while you are backing up the LDAP directory tree, the backups in the ldapfiles subdirectory could become inconsistent, leading to LDAP corruption.
-LDAP corruption is an unexpected behavior, so there is no way to get an alert when it occurs. The ldap/backup directory is automatically created and is guaranteed to be consistent.
We recommend backing up the LDAP files regularly so that it is possible to recover from a corrupt LDAP situation by reverting back to a working copy of the LDAP files which is clean. To configure backups of the embedded LDAP server, please follow these steps:
Login to WebLogic console and click on Domain in left panel.
Expand Security > Embedded LDAP.
Set the Backup Hour, Backup Minute, and Backup Copies attributes on the Embedded LDAP Server page.
Click Save to save your changes.
Restart whole WLS domain after making this change.
Backing Up the WebLogic LDAP Repository
The default Authentication, Authorization, Role Mapper, and Credential Mapper providers that are installed with Oracle Communications Converged Application Server store their data in an LDAP server. Each Oracle Communications Converged Application Server contains an embedded LDAP server. The Administration Server contains the master LDAP server, which is replicated on all managed servers. If any of your security realms use these installed providers, you should maintain an up-to-date backup of the <domain_name>/<adminServer>/ldap directory tree (where domain_name is the domain’s root directory and adminServer is the directory in which the Administration Server stores runtime and security data).
Each Oracle Communications Converged Application Server has an LDAP directory, but you only need to back up the LDAP data on the Administration Server -- the master LDAP server replicates the LDAP data from each managed server when updates to security data are made. WebLogic security providers cannot modify security data while the domain’s Administration Server is unavailable. The LDAP repositories on Managed Servers are replicas and cannot be modified.
The ldap/ldapfilessubdirectory contains the data files for the LDAP server. The files in this directory contain user, group, group membership, policies, and role information. Other subdirectories under the ldap directory contain LDAP server message logs and data about replicated LDAP servers.
Do not update the configuration of a security provider while a backup of LDAP data is in progress. If a change is made -- for instance, if an administrator adds a user -- while you are backing up the ldap directory tree, the backups in the ldapfiles subdirectory could become inconsistent. If this does occur, consistent, but potentially out-of-date, LDAP backups are available.
Once a day, a server suspends write operations and creates its own backup of the LDAP data. It archives this backup in a ZIP file below the ldap/backup directory and then resumes write operations. This backup is guaranteed to be consistent, but it might not contain the latest security data.
Reference metalink Doc ID 1192253.1
