Prev
Next
Forums Infor / Lawson Platforms S3 Security

LSF9 - LDAP Bind to AD - Issue with always using Secondary Domain Controller

 10 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
DavidFrSC
New Member
Posts: 2
New Member
3/25/2009 1:10 PM

    We Migrated to LSF9 (AIX platform) last year, using WAS 6.1, TDS ,

    and also did a LDAP Bind to AD for authentication (works great, BUT ...)

    We have 2 Domain Contollers: i.e. DC1, DC2. For some reason when we did the Bind (using DNS), Authentication only works if DC2 is available. Switching the roles did not help.

    Performed Network packet traces , and noticed there is some conversation to DC2  (BIND, SEARCH  CN=Configuration ...). The rest of the Authentication process looks normal: going to the correct DC for the actual authentication process.

    We need to get this correct for the following reasons:

                1) Fault Tolerance  : if DC2 should fail, DC1 should be able to take over 100 %

                 2) Server Upgrades for DC1 and DC2  (we are in the process of upgrading both servers to Windows 2003 AD  from 2000 AD

    Any ideas ?  Thanks in Advance,

    David

    John Henley
    Posts: 3353
    3/25/2009 2:29 PM
      Which one did you actually bind to: DC1 or DC2?
      You can only bind to one or the other...there is currently no way to bind to both for failover, etc.
      Thanks for using the LawsonGuru.com forums!
      John
      DavidFrSC
      New Member
      Posts: 2
      New Member
      3/25/2009 6:18 PM

        Thanks for quick reply.

        We actually did a LDAP Bind to a DNS Name "domaincontroller"  (originally the same IP as DC1). 

        Changing the IP of "domaincontroller" to DC2 (Stilled worked), then we took DC2 offline to see if DC1 would automatically take over (nope), then changed the ip of "domaincontroller" back to DC1 (still did not work). Once DC2 was brought back on-line : worked

        We did traces at the time  (from the core, and from the AIX server), and saw that DC2 was always involved in the authentication process.

        From current traces, DC2 is currently being used for only the SEARCH CN=Configuration ....   while DC1 is being SEARCH for the actual user name.

        Are there any tools which can print out current LDAPBIND settings besides lsconfig , and ssoconfig -c ?

        Thanks

        Jimmy Chiu
        Veteran Member
        Posts: 641
        Veteran Member
        3/31/2009 3:42 PM
          Lawson LDAPBIND works with 1 physical DC only, the DC that you specified during installation of ldapbind. The DC that Lawson is setup to use is under tag in you sooconfig. Do an export all services and look for that tag.

          In the event that ldap://your-fried-dc goes kaboom, you will need to manually modify the value to a different DC so lawson will authenticate user again. You can rerun LDAPBIND under GENDIR/bin to respecifiy the DC under "Enter the LDAP provider URL to access".
          Bart Conger
          Advanced Member
          Posts: 18
          Advanced Member
          4/1/2009 2:44 PM
            You can bind to multiple DC's by using a Load Balancer to control the traffic between them. Create an alias bind to it as you have done. Point the dns to the load balancer and test your fail-over. I have worked with networking teams and tested failure of multiple DC's with an LDAPBIND in place, pointing to a Load Balancer controlling the traffic of the bind.

            Bart
            Jimmy Chiu
            Veteran Member
            Posts: 641
            Veteran Member
            4/3/2009 9:34 PM
              Bart,

              Thx for the tips. I am gonna try that.
              jcorbin
              Basic Member
              Posts: 5
              Basic Member
              5/11/2009 12:34 PM

                Hey David:

                I am try to make this happen Via Microsoft AD, are you using the CN or the sAMAccountName?

                I was told that this will only work via the CN name.

                 

                John Henley
                Posts: 3353
                5/11/2009 12:50 PM
                  For AD, you use sAMAccountName
                  Thanks for using the LawsonGuru.com forums!
                  John
                  jcorbin
                  Basic Member
                  Posts: 5
                  Basic Member
                  5/12/2009 4:52 PM

                    A Lawson Eng. told me that I need to use the CN along with the sAMAccountName.  In my case I only want to use the sAMAccountName because it's consistant within my AD tree.

                    Example:

                    Some of my users have a CN=jdoe

                    and others have a CN= john Doe

                    as per lawson both of these (CN and sAMAccountName) should be the same for portal using AD to work.

                    Is there a way to only use the sAMAccountName?

                     

                    John Henley
                    Posts: 3353
                    5/12/2009 6:16 PM
                      Perhaps I'm misunderstanding what you're talking about. If you are referring to the attribute in AD which is searched against for each user, I have always used sAMAccountName in AD. That's the only consistent element. (In other words, I understand what you're talking about (inconsistent "cn"'s). In fact, I'm not even aware of how you can use "CN along with the sAMAccountName"...
                      Thanks for using the LawsonGuru.com forums!
                      John
                      Jimmy Chiu
                      Veteran Member
                      Posts: 641
                      Veteran Member
                      5/14/2009 4:06 PM
                        Microsoft AD default settings are always

                        sAMAccountName as naming attribute
                        user as structural attribute