AnsweredAssumed Answered

Multiple LDAP Domain procedure

Question asked by J_W on Oct 26, 2016
Latest reply on Mar 31, 2017 by jmayer

Warning:  Long post

SDM 14.1.03 (no xFlow)

Windows environment.

Customer has current Windows AD DOMAIN_A where all users and the old SDM application reside. This was the only domain. All users were created manually or using the existing LDAP settings in Options Manager to auto create when userid was found in the domain and that is how their ldap_dn value was populated.


The customer is merging/acquiring other AD domains and have created a new DOMAIN_B to eventually be the top of a forest to include all the users in DOMAIN_A and new DOMAIN_C and DOMAIN_D.  The new SDM servers are in this DOMAIN_B.  There are already trusts between these domains. They will be moving accounts from DOMAIN_A to DOMAIN_B in sections.  There are test accounts in DOMAIN_B


After using pdm_export and pdm_load to bring over all contacts from the old SDM, I enabled the LDAP settings in Option Manager in the new SDM server and restarted SDM services.  I tested the trust relationship by setting External Authentication / OS-Use Operating System authentication for a test access type and modifying their userid to 'DOMAIN_A\userid' and they can login.  I verified that the DN credentials to all domains using

  pdm_ldap_test -s DC=DOMAIN-xx,DC=com

changing the domain for each test and this returned accounts from all domains.


I modified the cnt schema in WSP and created the ldap_mod per TEC489029: "How to get pdm_ldap_sync to synchronize the ldap-enabled/disabled status with contact's active/inactive status in servicedesk?" Knowledge Base Articles 


I then followed the instructions in the Wiki: 

How to integrate CA SDM with LDAP - CA Service Management - 14.1 - CA Technologies Documentation 

at section "Manage LDAP Servers Using the LDAP Configuration Utility" by first creating a name for the default ldap domain (DOMAIN_B)

pdm_options_mgr -c -a pdm_option.inst -s LDAP_DOMAIN -v DOMAIN_B
pdm_options_mgr -c -a pdm_option.inst -s LDAP_DOMAIN -v DOMAIN_B -t

and restarted SDM services.


I then ran:

    pdm_ldap_import -n DOMAIN_B

This imported the test contacts from DOMAIN_B and prepended "DOMAIN_B\" to each userid.

I then ran:

   pdm_ldap_sync -n DOMAIN_B

and all the contacts that were deactivated in DOMAIN_B were set to inactive in SDM.


Next, I added the DOMAIN_A using the


utility.  Adding the same values as the default, except changing the NX_LDAP_SEARCH_BASE to match the new DOMAIN_A.  I verified these new values were in NX.env and restarted services.

Now, when I try to run:

    pdm_ldap_import -n DOMAIN_A

it fails and I get:


    pdm_ldap_import: Method got_record in Ldap_Catcher failed ()

in stdlog.

I've researched this online and I do not have any spaces between elements in my ldap_search_base. There are at least two open questions here in the Community that don't have an answer (or they were resolved and the OP didn't update)


LDAP Problems importing contacts of more than one LDAP Domain 



I have a case open with CA Support but they have had it for several days and I am waiting on them.They keep asking me to walk through the procedure I used, so I decided to post it here for more eyes.

Has anyone successfully complete multiple domain integration and, if so, can you post the correct procedure or point out what I am missing?