Enabling LDAP lookups to determine a user's Traveler server

HCL SafeLinx manages incoming connection requests from Traveler clients, directing the request to an available Traveler server. With SafeLinx, you can configure the HTTP access service to connect users to a Traveler server specified by an attribute in the user's LDAP record.

The attribute that you specify must exist in the LDAP user record and its value must map to a valid Traveler server or high-availability server pool. SafeLinx does not populate the attribute-value pair to the directory.

IBM® Traveler clients use the SafeLinx Clientless HTTP access service to establish a secure connection to a Traveler server. . The first time that a user attempts to access Traveler, the incoming connection request is processed by the SafeLinx Server. The SafeLinx Server routes the request to an available Traveler server or high-availability server pool. After it establishes the connection, the SafeLinx Server saves the information about the Traveler server assignment in the user's SafeLinx account. The saved information ensures that future connection attempts from the same user are directed to the same server, unless you modify the assignment in the SafeLinx Administrator.

In networks that host multiple Traveler server pools, each pool has access to a subset of the deployed Traveler servers. Individual pools might not have access to a specific Traveler server. To guide the SafeLinx Server in making Traveler server assignments, enable the HTTP access service to look up a designated attribute from user's LDAP records. The attribute value can identify a Traveler server or server pool in several ways. It might identify a resource by its URL, for example, https://traveler01.west.renovations.com; it might contain the distinguished name (DN) of the resource, for example, CN=Traveler1,OU=WEST,O=Renovations,C=com; or it might reference some part of a URL or DN, for example, WEST.

To enable SafeLinx to query the LDAP server to determine a user's Traveler server, assign a value for the Server/Pool assignment attribute to query. After lookups are enabled, any time that the HTTP access service detects an inbound Traveler request from a first-time user, it queries the directory for the Traveler assignment. Based on the information that it retrieves from the directory, SafeLinx forwards the incoming connection to either a stand-alone Traveler server or a server within a Traveler high-availability pool.

The HTTP access service queries the directory for first-time users only. For users who have SafeLinx accounts that specify a Traveler server assignment, the existing assignment is reused, and no directory query is sent.

Complete the following steps to enable the HTTP access service to look up users' Traveler server assignments from the LDAP directory:
  1. From SafeLinx Administrator, right-click the HTTP access service that you want to configure and click Properties to open the properties pages for the service.
  2. Open the IBM Mobility page.
  3. Select Enable Traveler integration if it is not already enabled.
  4. In the field Server/Pool assignment attribute to query, type the name of the attribute that your LDAP directory uses to store information that identifies the Traveler server or server pool.

    To retrieve the DNs of the available Traveler pools, type the following command from the SafeLinx Server:

    lswg -s hcl-wlServerPool

    For example, if your organization supports multiple geographic regions, the directory entry for each user might include an OU that serves to designate the region where the user is located, such as OU: ou=WEST,o=renovations,c=com. For each geographic region, there is a separate Traveler server pool that supports the users in that region. Each server pool is assigned a CN that designates its region, such as CN="WEST".

    To ensure that new users are assigned to the correct server pool, you could specify the OU value in the Server/Pool assignment attribute to query. Then, when SafeLinx queries the directory to determine a user's Traveler server, it looks for a Traveler resource that includes the value of the user's OU attribute.

  5. Click OK to save your changes.
The HTTP access service is now configured to look up the specified attribute from the LDAP directory when it makes future Traveler server assignments.
Note: An administrator can delete a user's SafeLinx account or clear the following attributes to simulate a new user account and enable reassignment to a new pool:
  • Principal user account
  • Active application server URL
  • Application server pool

The next time that the user connects, SafeLinx re-creates the account, if necessary, and establishes a new pool assignment automatically.