LDAP Bind to new domain controller

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

Wade-T

Veteran Member

Posts: 54

1/14/2010 1:52 AM

We have a couple of domain controllers and Lawson isbound to one of them. This controller keeps failing and crashing and needs to be replaced. I asked Lawson where thedocumentation was for changing my LDAPbind and they stated I needed to contact Professional services.

How difficult is it to do? Do I really need to spend $2**/hr with them? WouldI be better off with someone like Ciber or Absolute (not a partner, but half the price and no issues when we used them in the past. Go Todd!)

Two crashes in the last 3 days. Ineed to get the ball rolling one way or another.

Can I run a test on my test servers to bind to one of the other domain controllers,and then do production, or do they both need to hit the same DC?

John Henley

Posts: 3353

1/14/2010 1:23 PM

It isn't that hard, assuming all you are really doing is simply changing the name/address of the server to which you are authenticating. From command line, execute 'ldapbind' command, and follow the prompts, changing/replacing the servername when prompted 'Enter the LDAP provider URL to access'. Reboot the server or Stop/Start lawson & related services.

Wade-T

Veteran Member

Posts: 54

1/14/2010 2:16 PM

I will give it a shot on my test environment tomorrow and let you know the outcome.

Thanks.

Bart Conger

Advanced Member

Posts: 18

1/14/2010 2:16 PM

If you continue to have issues with Domain Controllers, you could look to place/use a Load Balancer between the Lawson LDAP and your DC's. The Load Balancer could be configured to validate connectivity to the Domain Controller before communicating with it. I have worked with Networking teams to test and implement this solution successfully in the past. Good luck on your LDAP Bind!

Bart

Wade-T

Veteran Member

Posts: 54

1/15/2010 3:19 PM

Hmmm. I ran the ldapbind, and rebooted the server. I can get into LID and run reports, but I am not able to log into the portal or the Lawson Security Administrator.

Do I need to do anything within WebSphere itself?

John Henley

Posts: 3353

1/15/2010 3:53 PM

Did you reboot the server?

Wade-T

Veteran Member

Posts: 54

1/15/2010 4:02 PM

Twice. We are going to run the ldapbind again and point back at the old DC and see if that works.

Wade-T

Veteran Member

Posts: 54

1/15/2010 4:13 PM

I ran it again on the new DC and realized I was using the wrong account password. I can now get into the portal and Security administrator.

What would be some good testing to do to make sure everything is working correctly, add a new user?

John Henley

Posts: 3353

1/15/2010 4:38 PM

Look at $LAWDIR/system/security.log perhaps to get the error message related to ldapbind not working. It might be that the username/password you were using previously doesn't have access to the new domain controller. It's always a good practice to test it from an ldap browser first before changing via ldapbind...

Wade-T

Veteran Member

Posts: 54

1/15/2010 5:21 PM

I am not finding security.log. Could it be security.cfg?

ALso would I update the install.cfg file with the name of the new DC on the "LDAP_PROVIDER_URL=" line?

John Henley

Posts: 3353

1/15/2010 7:23 PM

ldapbind failures are logged to security.log; not sure what version this was added, but I know it's there in 9.0.1.

Yes, you should update install.cfg for completeness.

Wade-T

Veteran Member

Posts: 54

2/10/2010 11:41 AM

A couple weeks ago we ran ldapbind against a different domain controller and things looked fine. The network guy left the controller on until this morning. A couple of us attempted to log in this morning and were successful, but it took about 30 seconds to actually log in. We turned back on the old domain controller and were able to log in in under a second.

Is there any other place I need to remove references to the old controller?