We Migrated to LSF9 (AIX platform) last year, using WAS 6.1, TDS ,
and also did a LDAP Bind to AD for authentication (works great, BUT ...)
We have 2 Domain Contollers: i.e. DC1, DC2. For some reason when we did the Bind (using DNS), Authentication only works if DC2 is available. Switching the roles did not help.
Performed Network packet traces , and noticed there is some conversation to DC2 (BIND, SEARCH CN=Configuration ...). The rest of the Authentication process looks normal: going to the correct DC for the actual authentication process.
We need to get this correct for the following reasons:
1) Fault Tolerance : if DC2 should fail, DC1 should be able to take over 100 %
2) Server Upgrades for DC1 and DC2 (we are in the process of upgrading both servers to Windows 2003 AD from 2000 AD
Any ideas ? Thanks in Advance,
David
Thanks for quick reply.
We actually did a LDAP Bind to a DNS Name "domaincontroller" (originally the same IP as DC1).
Changing the IP of "domaincontroller" to DC2 (Stilled worked), then we took DC2 offline to see if DC1 would automatically take over (nope), then changed the ip of "domaincontroller" back to DC1 (still did not work). Once DC2 was brought back on-line : worked
We did traces at the time (from the core, and from the AIX server), and saw that DC2 was always involved in the authentication process.
From current traces, DC2 is currently being used for only the SEARCH CN=Configuration .... while DC1 is being SEARCH for the actual user name.
Are there any tools which can print out current LDAPBIND settings besides lsconfig , and ssoconfig -c ?
Thanks
Hey David:
I am try to make this happen Via Microsoft AD, are you using the CN or the sAMAccountName?
I was told that this will only work via the CN name.
A Lawson Eng. told me that I need to use the CN along with the sAMAccountName. In my case I only want to use the sAMAccountName because it's consistant within my AD tree.
Example:
Some of my users have a CN=jdoe
and others have a CN= john Doe
as per lawson both of these (CN and sAMAccountName) should be the same for portal using AD to work.
Is there a way to only use the sAMAccountName?