• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 25 subscribers
  • Views 654 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

DPA Login and alerting Questions

martian_monster

Good afternoon!

I have a domain/LDAP question about flipping domains and I will try to explain things here the best I can. 

We have a multi domain environment and currently have Domain A syncing via LDAP to DPA for user access.  We have groups setup so users only get the information that they will need. In additional to LDAP access there are specific alerts setup to go to specific groups.  We have a new domain now that we are dumping everyone to and I need to change the LDAP connection to the new domain.  When I flip this what will break for user access? 

Thanks!


Dave

  • 0

    martian monster​,

    Good question. There is a whole blog that could be done on DPA LDAP and config I think. DPA had LDAP integration before it had the wizard that allows for it now. In the old days (pre 10.2)

    you had to edit a file manually that is in the folder path DPA home\iwc\tomcat\ignite_config\idc\system.properties

    This file is what the wizard for the config now will edit when you use it. The wizard has a limitation still in that it  will only ask for the domain and then it puts in in this file in a line that would look like

    com.confio.security.ldap.serverUrl1=ldaps://mydomain.com:3269

    The wizard only ever writes to this Url1 line but, DPA will work with up to 5 something like

    com.confio.security.ldap.serverUrl1=ldaps://mydomain.com:3269

    com.confio.security.ldap.serverUrl2=ldaps://mySecondDomain.com:3269

    com.confio.security.ldap.serverUrl3=

    com.confio.security.ldap.serverUrl4=

    We have also used this in support to point to direct servers when there are issues with one Domain controller timing out. I have seen that with a domain that had servers in Europe and DPA was located in New York, USA for example.

    So you can manually edit the file and add the other domain assuming there is a trust and the one account in use to look up groups in the manager line can access both of them.

    com.confio.security.ldap.manager.dn.user=


    This has some other limits also such as it might be best if you are using LDAPS to go through the wizard first to get DPA to offer to import the certificates needed and in one of the versions we had an issue where if you have multiple Url lines in this file from a manual edit and you use the wizard again you got an error message. This has been fixed in the most recent release I know.
    This all being said my advice would be to use the wizard to change your info and import certificates. Be sure you use an account for the manager that can get to groups in both domains if possible and then manually edit the file to add domain2 in Url2 to the file. DPA should use domain 1 first and if no match is found try to domain 2.

    If you have issues you can open a support case and we can advise more.

  • 0 in reply to jaminsql

    I am going to give this a try tomorrow morning and if I have an issue I will let you know.  Thanks!!! -Dave

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.