LDAP Bind to new domain controller

 14 Replies
 0 Subscribed to this topic
 16 Subscribed to this forum
Sort:
Author
Messages
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member

We have a couple of domain controllers and Lawson isbound to one of them. This controller keeps failing and crashing and needs to be replaced.  I asked Lawson where thedocumentation was for changing my LDAPbind and they stated I needed to contact Professional services.

How difficult is it to do? Do I really need to spend $2**/hr with them? WouldI be better off with someone like Ciber or Absolute (not a partner, but half the price and no issues when we used them in the past. Go Todd!)

Two crashes in the last 3 days. Ineed to get the ball rolling one way or another.

Can I run a test on my test servers to bind to one of the other domain controllers,and then do production, or do they both need to hit the same DC?

John Henley
Send Private Message
Posts: 3351
It isn't that hard, assuming all you are really doing is simply changing the name/address of the server to which you are authenticating. From command line, execute 'ldapbind' command, and follow the prompts, changing/replacing the servername when prompted 'Enter the LDAP provider URL to access'. Reboot the server or Stop/Start lawson & related services.

Thanks for using the LawsonGuru.com forums!
John
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
I will give it a shot on my test environment tomorrow and let you know the outcome.

Thanks.
Bart Conger
Advanced Member Send Private Message
Posts: 18
Advanced Member
If you continue to have issues with Domain Controllers, you could look to place/use a Load Balancer between the Lawson LDAP and your DC's. The Load Balancer could be configured to validate connectivity to the Domain Controller before communicating with it. I have worked with Networking teams to test and implement this solution successfully in the past. Good luck on your LDAP Bind!

Bart
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
Hmmm. I ran the ldapbind, and rebooted the server. I can get into LID and run reports, but I am not able to log into the portal or the Lawson Security Administrator.

Do I need to do anything within WebSphere itself?
John Henley
Send Private Message
Posts: 3351
Did you reboot the server?

Thanks for using the LawsonGuru.com forums!
John
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
Twice. We are going to run the ldapbind again and point back at the old DC and see if that works.
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
I ran it again on the new DC and realized I was using the wrong account password. I can now get into the portal and Security administrator.

What would be some good testing to do to make sure everything is working correctly, add a new user?
John Henley
Send Private Message
Posts: 3351
Look at $LAWDIR/system/security.log perhaps to get the error message related to ldapbind not working. It might be that the username/password you were using previously doesn't have access to the new domain controller. It's always a good practice to test it from an ldap browser first before changing via ldapbind...

Thanks for using the LawsonGuru.com forums!
John
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
I am not finding security.log. Could it be security.cfg?

ALso would I update the install.cfg file with the name of the new DC on the "LDAP_PROVIDER_URL=" line?
John Henley
Send Private Message
Posts: 3351
ldapbind failures are logged to security.log; not sure what version this was added, but I know it's there in 9.0.1.

Yes, you should update install.cfg for completeness.

Thanks for using the LawsonGuru.com forums!
John
Wade-T
Veteran Member Send Private Message
Posts: 54
Veteran Member
A couple weeks ago we ran ldapbind against a different domain controller and things looked fine. The network guy left the controller on until this morning. A couple of us attempted to log in this morning and were successful, but it took about 30 seconds to actually log in. We turned back on the old domain controller and were able to log in in under a second.

Is there any other place I need to remove references to the old controller?
Deleted User
New Member Send Private Message
Posts: 0
New Member
We are having teh same issue. What was the resolution?
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
It's probably because you are binding to a DC that's not global catalog server. Redo LDAPBIND to a different DC that's GC via port 3268.
Deleted User
New Member Send Private Message
Posts: 0
New Member
Thank you. That worked great!