Skip to content

KB009: Configure Alternate LDAP Server

Article ID: KB009

Last Updated: June 21, 2025

Applies To: HySecure Gateway 7.1 and above

Category: Security & Authentication Enhancements

Overview

This guide explains how to configure an alternate LDAP server specifically for password change requests. This feature allows password change operations to be directed to a different LDAP server than the one used for authentication, reducing load on the primary authentication server and improving system performance.

Prerequisites

  • HySecure Gateway 7.1 or higher
  • Security Officer or Administrator access to the HySecure management console
  • Primary LDAP/Active Directory server configured for authentication
  • Secondary LDAP server available for password operations
  • Network connectivity to both LDAP servers

Benefits

  • Load Distribution: Reduce load on the primary authentication server.
  • Improved Performance: Better system efficiency through workload separation.
  • Enhanced Availability: Separate password operations from authentication.
  • Flexible Architecture: Support different LDAP servers for different operations.

Important Limitations

Scope of Alternate LDAP:

  • Only applicable for password changes after user login.
  • Self-Service Portal requests still use the primary authentication server.
  • Does not support self-service functions (account unlock, forgot password).

Use Cases:

  • Post-login password changes via the HySecure client.
  • Post-login password changes via the HyLite portal.

Procedure

Step 1: Configure Alternate LDAP Server

  1. Access Management Console

    • Log in to the HySecure management console as a Security Officer or Administrator.

  2. Navigate to Authentication Servers

    • Go to Settings > Authentication > Authentication Servers.

  3. Add Alternate LDAP Server

    • Click Add to create a new authentication server.

    • Configure alternate LDAP server details:

      • Server name and description

      • LDAP server address and port

      • Bind credentials for password operations

      • SSL/TLS settings if required

    • Test the connection to verify the configuration.

    • Save the server configuration.

Step 2: Configure Authentication Domain

  1. Navigate to Authentication Domains

    • Go to Settings > Authentication > Authentication Domains.

  2. Edit Existing Domain

    • Select the authentication domain with the primary authentication server.

    • Click Edit.

  3. Enable Alternate LDAP

    • Find the section Alternate LDAP.

    • Enable the Alternate LDAP option.

    • Select the alternate server from the dropdown menu (configured in Step 1).

    • Click Submit to save changes.

Monitoring and Logs

Authentication Logs:

  • Monitor authentication events in user logs.

  • Verify primary server handles login requests.

  • Confirm alternate server handles password changes.

Performance Monitoring:

  • Monitor load on the primary authentication server.

  • Check performance improvements after the configuration.

  • Track password change operation success rates.

Architecture Considerations

Server Roles

Primary Authentication Server:

  • Handles user login authentication.

  • Processes MFA requests.

  • Manages user authorization decisions.

  • Supports self-service portal operations.

Alternate LDAP Server:

  • Processes password change requests only.

  • Reduces load on primary server.

Network Requirements

Connectivity:

  • The HySecure gateway must reach both servers.

  • Network latency considerations for user experience.

  • Firewall rules for both LDAP servers.

  • Redundancy planning for both servers.

Data Synchronization

Password Consistency:

  • Ensure password changes sync between servers.

  • Configure appropriate replication intervals.

  • Monitor synchronization status.

  • Plan for synchronization failures.

Troubleshooting

Common Issues:

Password Changes Failing:

  • Check: Alternate LDAP server connectivity.

  • Verify: Service account permissions on alternate server.

  • Test: LDAP bind operations manually.

  • Review: Password policy compliance.

Authentication Issues After Password Change:

  • Cause: Password synchronization delay.

  • Solution: Wait for replication to complete.

  • Check: Replication status between servers.

  • Verify: Password change completed successfully.

Performance Not Improved:

  • Check: Network latency to the alternate server.

  • Monitor: Primary server resource utilization.

Configuration Not Taking Effect:

  • Verify: Alternate LDAP is enabled in the domain configuration.

  • Check: The correct alternate server is selected.

  • Test: Configuration with a specific user account.

Diagnostic Steps

Connectivity Testing:

# Test primary LDAP connectivity
ldapsearch -H ldap://primary-server:389 -x -D "cn=service,dc=domain,dc=com" -w password

# Test alternate LDAP connectivity  
ldapsearch -H ldap://alternate-server:389 -x -D "cn=service,dc=domain,dc=com" -w password

Log Analysis:

  • Check HySecure authentication logs.

  • Review LDAP server logs for both servers.

  • Monitor network connectivity logs.

  • Analyze user session logs for password changes.

Security Considerations

Access Control

Service Accounts:

  • Use dedicated service accounts for alternate LDAP.

  • Grant the minimum required permissions.

  • Regular password rotation for service accounts.

  • Monitor service account usage.

Network Security:

  • Encrypt connections to both LDAP servers.

  • Regular security assessments.

Audit and Compliance

Logging Requirements:

  • Log all password change operations.

  • Track which server handled each operation.

  • Maintain an audit trail for compliance.

  • Regular log review and analysis.