Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Established Member.. Gary Magsano
Established Member..
1755 views

using multiple ldap servers for authentication

Hi,

We are still on Service Manager v9.21.  We have been using ldap authentication using our Microsoft Active directory.  We specified  ldapbinddn and ldapbindpass parameters to bind to our LDAP server and use the ldapauthenticateonly parameter set.

 

We merged with another company that has their own Microsoft Active directory.  We have a trust relationship with their Active Directory.

 

They want their users to be able to log into Service Manager now.  I know that in the sm.ini file, you can specify multiple ldap servers by user ldapserver1, ldapserver2, etc. 

 

However, how would I specify the ldapbinddn and ldapbindpass parameters for the second or their ldapserver?  Furthermore, what about the operator file level mapping?  How would I be able to specify 2 different ldapservers there?

 

We don't have anonymous binds allowed for our ldap server due to security reasons. 

 

Thanks in advance,

Gary

Tags (1)
0 Likes
2 Replies
Highlighted
Absent Member.. John Stagaman Absent Member..
Absent Member..

Re: using multiple ldap servers for authentication

In 9.31 and earlier, SM can only connect to a single, top level Domain, so you would need to configure LDAP Referral Chasing on the LDAP server, configure an LDAP Proxy server as an intermediary to the domains, or use a third-party application.

From another forum post:
to use multiple LDAP for different clients, we need to connect to a top-level domain server that can route to the lower level domains. Alternatively, you'd need to add aliases to one of the systems so that SM could find all operators in that one AD domain. You will need to change on your sm.ini file. Here are some posts about multiple ADs for SM:
http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/LDAP-Configuration-with-multi-domain/m-p/466...
http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/Contacts-from-multiple-LDAP-Servers/m-p/5108...
http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/LDAP-for-multiple-AD-s/m-p/5416329/highlight...
http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/HP-Service-Manager-9-30-Multiple-LDAP-integr...
http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/SM-Integration-with-multiple-AD/m-p/5515883/...


In version 9.32 and above, it is possible to configure a horizontally scaled environment so that different SM application servers can authenticate to different LDAP Domains. I have not configured this since the functionaltiy was introduced, but it was described in the release notes as follows:
If you wish to authenticate SM users that belong to different domains or sub domains, you can deploy multiple LDAP servers that belong to the corresponding domains, and then set up a horizontal scaled (HS) cluster.
By proper configuration,
--users belonging to Domain 1 can directly connect to server node 1 and be authenticated by LDAP server 1,
--users belonging to Domain 2 can directly connect to server node 2 and be authenticated by LDAP server 2.
Hence, they can share the same database while at the same time be authenticated for their domain.
----------------------------------------------------
Kudos - what, where, how, and why
Want Good Answers? Ask Good Questions...
Honored Contributor.. winnielee Honored Contributor..
Honored Contributor..

Re: using multiple ldap servers for authentication

how about the LDAP mapping in SM? the LDAP mapping only can configure 1 LDAP 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.