Tech Tip: Updating your LDAP settings after upgrading to NFA 9.1.3 or 9.1.4

Document created by Christopher_Walsh Employee on Aug 7, 2014Last modified by SamCreek on Dec 17, 2016
Version 6Show Document
  • View in full screen mode

NFA 9.1.x uses a different SSO Module then in earlier versions of RA or even NPC.

This means after upgrading to NFA 9.1.3 you must also update your LDAP Settings.

If you are disconnecting NFA from NPC and linking it up with CAPC, you should only need to setup LDAP on the CAPC server and the correct settings should sync down to the NFA server to allow users to login with LDAP credentials.

However if you are still linked to NPC, these settings are not 100% compatible with the new SSO Module used with NFA, so you will need to launch the new SSOConfig tool on the NFA console server and setup the LDAP settings here.

The latest version of the SSO Configuration guide can be found here.

The SSOConfig.exe can be found in either the \CA\NFA\Portal\SSO\bin directory on new installations or the \Netqos\Portal\sso\bin directory.

Being that NPC will still sync down the settings in the database for LDAP based on the older SSO modules, you will need to adjust some LDAP settings on the NFA console server with "Local Override" settings, which you will see as an option when launching the SSO Config tool.

The "Local Override" SSO settings will tell NFA To ignore anything from NPC that has been overridden on the NFA console server.

 

If your current "Connection  User" is set to {0} and "Connection Password" is set to {1} you will need to update your SSO Settings to Allow LDAP to work with NFA.

 

There are two options that may get this working in your environment:

A)The easy way...

 

You can try simply setting the "Encryption" method to "DIGEST-MD5" like below:

 

DIGEST-MD5_LDAP.png

 

This method does not work in all environments, if it fails try the second method below.

 

B)If the DIGEST-MD5 encryption does not work in your environment, you will need to clear out the "Encryption" type, then enable "User Bind", and use a service account for the "Connection User" and "Connection Password".

 

Depending on your LDAP environment you may be able to simply use a "Connection User" like "username@domain.com" or you may have to find the full distinguishedName(DN) of the service account you plan on using.

 

  • Finding the DN of your service account user.

If you are using Microsoft Active directory you can use the free tool "AD Explorer" to help you identify the Connection User's DN.

 

1)To use AD explorer you will need to know the name of your LDAP server, which you usually can find by running "echo %logonserver%" from a computer that is using that LDAP server for authentication.

 

2)Once you know the LDAP Server name, open ADExplorer and go to "File->Connect" and enter the server name or IP address in the "Connect To" field.

 

ad_explorer_server.png

 

3)Once you connect to your LDAP server right click on the server name in the top of the tree and select "Search Container"

 

4)In the Search window change the "Attribute" drop down to "sAMAccountName" and in the "Value" field enter the username of the Service Account you wish to use and click "Add" and then "Search.

The window at the bottom will display the search results which should include the distinguishedName of the service account.

 

AD_DN.png

 

5)You will use this distinguishedName in the "Connection User" field of the SSOconfig tool.

You will also need to update the "Connection Password" with the password of the service account as well as set "User Bind" to "enabled".

UserBind.png

 

 

This document was generated from the following discussion: 9.1.3 Upgrade Tip - Updating your LDAP settings after upgrading to 9.1.3

Attachments

    Outcomes