2 Replies Latest reply on May 29, 2019 3:16 PM by jaminsql

    DPA Login and alerting Questions

    martian monster

      Good afternoon!

       

      I have a domain/LDAP question about flipping domains and I will try to explain things here the best I can. 

       

      We have a multi domain environment and currently have Domain A syncing via LDAP to DPA for user access.  We have groups setup so users only get the information that they will need. In additional to LDAP access there are specific alerts setup to go to specific groups.  We have a new domain now that we are dumping everyone to and I need to change the LDAP connection to the new domain.  When I flip this what will break for user access? 

       

      Thanks!


      Dave

        • Re: DPA Login and alerting Questions
          jaminsql

          martian monster,

           

          Good question. There is a whole blog that could be done on DPA LDAP and config I think. DPA had LDAP integration before it had the wizard that allows for it now. In the old days (pre 10.2)

          you had to edit a file manually that is in the folder path DPA home\iwc\tomcat\ignite_config\idc\system.properties

           

          This file is what the wizard for the config now will edit when you use it. The wizard has a limitation still in that it  will only ask for the domain and then it puts in in this file in a line that would look like

          com.confio.security.ldap.serverUrl1=ldaps://mydomain.com:3269

           

          The wizard only ever writes to this Url1 line but, DPA will work with up to 5 something like

          com.confio.security.ldap.serverUrl1=ldaps://mydomain.com:3269

          com.confio.security.ldap.serverUrl2=ldaps://mySecondDomain.com:3269

          com.confio.security.ldap.serverUrl3=

          com.confio.security.ldap.serverUrl4=

           

          We have also used this in support to point to direct servers when there are issues with one Domain controller timing out. I have seen that with a domain that had servers in Europe and DPA was located in New York, USA for example.

           

          So you can manually edit the file and add the other domain assuming there is a trust and the one account in use to look up groups in the manager line can access both of them.

          com.confio.security.ldap.manager.dn.user=


          This has some other limits also such as it might be best if you are using LDAPS to go through the wizard first to get DPA to offer to import the certificates needed and in one of the versions we had an issue where if you have multiple Url lines in this file from a manual edit and you use the wizard again you got an error message. This has been fixed in the most recent release I know.
          This all being said my advice would be to use the wizard to change your info and import certificates. Be sure you use an account for the manager that can get to groups in both domains if possible and then manually edit the file to add domain2 in Url2 to the file. DPA should use domain 1 first and if no match is found try to domain 2.

           

          If you have issues you can open a support case and we can advise more.