IT Process Automation

  • 1.  LDAP with Multiple top level OUs in EEM

    Posted Mar 07, 2018 04:28 PM

    We are working on integrating the remainder of r14.1 service management components into our existing SDM environment in preparation for an overall r17.1 upgrade later this year. I'm currently stuck at the integration for PAM since the Provider Username is a srvAccount in the "Admin" OU that can't be seen in EEM..

    I currently have EEM configured for Multiple Microsoft Active Directory Domains and the Base DN set to "Sites" ( OU=SITES,DN=AD,DN=MYORG, DN=NET ) This is the tree where all of the "User" accounts reside. The issue I am running into is: the application user for PAM, our Service Account user, is in "Admin" (OU=Admin,DN=AD,DN=MYORG,DN=NET ).

     

    I attempted to add another LDAP Directory with a unique name and OU=Admin instead of OU=Sites for the Base DN, and received a "EE_NOTALLOWED Operation not allowed" error.  Since an OU must be entered and you can't use a wildcard for the OU either, What can I do to set up the User Store so that it can see into both Top Level OUs? 

     

    I knew it wouldn't work, but out of desperation I did try to setup the LDAP connection as DN=AD,DN=MYORG,DN=NET and OU=AD,DN=MYORG,DN=NET of which neither could locate anything.

     



  • 2.  Re: LDAP with Multiple top level OUs in EEM

    Broadcom Employee
    Posted Mar 07, 2018 04:38 PM

    Is there a higher level DN that you could point to that both Sites and Admin exist below?  That would likely be the simplest solution. 



  • 3.  Re: LDAP with Multiple top level OUs in EEM

    Posted Mar 07, 2018 05:49 PM

    Unfortunately, no. Sites and Admins both sit at the top level. Though I might have found a workaround by substituting port 3268 and not putting an OU in the Base DN. That effectively directs the connection to the Global Catalog. Time will tell once we start to provision actual user groups for Service Management apps, if it will work for us in the long term.



  • 4.  Re: LDAP with Multiple top level OUs in EEM

    Broadcom Employee
    Posted Mar 07, 2018 04:58 PM

    Is there a reason you are using the Multiple Active Directory Domains setup in EEM? If everything exists under DN=MYORG, DN=NET then use Basic and just use this as the base DN. 



  • 5.  Re: LDAP with Multiple top level OUs in EEM

    Posted Mar 07, 2018 05:56 PM

    The short answer is Yes. The long answer is our AD structure was set up by Novell admins that were learning Active Directory as we converted to it. :-D  In addition, we have some outlying sites that have their own domains. We have to plan for a time when we may need to provision them for Access to Service Catalog and Service Desk functions.



  • 6.  Re: LDAP with Multiple top level OUs in EEM

    Broadcom Employee
    Posted Mar 08, 2018 01:40 PM

    So as a fix right now, using 3268 is good. You get a much quicker response using the Global Catalog.

    Setting the search base DN at the top level of DN=MYORG, DN=NET will stop the search from being restricted to the OU defined. 

    One other thing you should do is to set the paging value for EEM to true. In the server.xml file located under C:\Program Files\CA\SC\EmbeddedEntitlementsManager\config\server there is a setting:

    <paged>false</paged>

    Change that to 

    <paged>true</paged>

    and restart the iGateway service. 

     

    Because you are using the Multiple Active Directory domain setup, for Process Automation you will also need to set the default AD domain setting once you add the other domains. Don't do this now, but once you add these other domains at a later time, you will have to have this specified 

    The setting is in the oasisconfig.properties file:

    oasis.security.activeDirectory.defaultDomain=

    Set this to your main domain as:

    oasis.security.activeDirectory.defaultDomain=myorg.net

    and restart Process Automation.

     

    If you do for now decide to go with the Basic LDAP setup in EEM, you will have to leave that default domain setting as blank or else you won't be able to log into Process Automation. 

     



  • 7.  Re: LDAP with Multiple top level OUs in EEM

    Posted Mar 08, 2018 03:16 PM

    What does the Paging setting actually do?



  • 8.  Re: LDAP with Multiple top level OUs in EEM

    Broadcom Employee
    Posted Mar 08, 2018 04:13 PM

    The setting in EEM allows for EEM to basically implement the AD paging rules.

    By default, AD is set to page at 1000 records - so you make a request to AD, if the record isn't within the first 1000 records, it pulls the next 1000 records, and so on. All so you don't cause AD to crash trying to parse through 300k records at once.

    With the paging setting as true, EEM will do the same thing. It's a performance adjustment, and improves EEM performance when used with Active Directory.