Weblogic LDAP and Active Directory Provider Failover

One of my customers was trying to implement the LDAP Provider failover capability in WLS 10.3.2 and after a lot of effort he gave up.

I took ownership of the problem and started to investigate what was going on.

According to the official documentation at Configuring Failover for LDAP Authentication Providers,

you can configure the provider to enable failover when one of the LDAP servers is not available.

Unfortunately, we discovered that this functionality only worked when the server was starting up, which is when it creates the connections to the LDAP server.

Well, though it is good to have this capability at start up, the real need was to have server being capable of recover from a LDAP crash or failed connectivity, at runtime.

If during the server operation, the main LDAP server crashed, every LDAP user authentication would fail, since WLS could not failover to the secondary LDAP at runtime.

The documentation didn't mention if the failover was supposed to happen only at startup or runtime.

Since our understanding was that it should failover in both situations, we went ahead and created a SR with a simple test case, asking for a fix for this problem.

The SR and the bug development went through very fast and a patch was provided a few days later.

Now, my customer has implemented this solution and their environments are more stable, thanks to the WLS ability to recover from a bad LDAP server.

If you have a valid Oracle Support License and want to implement this too, log a SR asking for a patch for bug 13064396 - WEBLOGIC 10.3.2 - LDAP AUTHENTICATOR PROVIDER UNABLE TO FAILOVER.

I believe this fix didn't make to the latest WLS release, 12c, but the backport shouldn't be a problem.

Good Luck!