To configure an Active Directory (AD) server backend, run a dsconfig script.
The following settings are required for an Active Directory server:
-
verify-credentials-method:bind-on-existing-connections and
authorization-method:rebind
Note:
Active Directory does not support proxy-as. Existing connections must be reused.
-
set max-connection-age:5m and
health-check-pooled-connections:true
Note:
Active Directory drops idle connections after 15 minutes. The proxy must refresh the connection pool in a shorter interval.
The following example dsconfig script configures two Active Directory servers, AD-SRV1 and AD-SRV2.
dsconfig set-ldap-health-check-prop --check-name "Consume Admin Alerts" \
--reset use-for-all-servers
dsconfig set-trust-manager-provider-prop \
--provider-name "Blind Trust" \
--set enabled:true
dsconfig create-external-server --server-name AD-SRV1 --type active-directory \
--set server-host-name:example.server \
--set server-port:636 \
--set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \
--set password:password --set connection-security:ssl \
--set key-manager-provider:Null --set trust-manager-provider:"Blind Trust" \
--set authorization-method:rebind \
--set verify-credentials-method:bind-on-existing-connections \
--set max-connection-age:5m \
--set health-check-pooled-connections:true
dsconfig create-external-server --server-name AD-SRV2 --type active-directory \
--set server-host-name:example.server \
--set server-port:636 \
--set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \
--set password:password \
--set connection-security:ssl \
--set key-manager-provider:Null \
--set trust-manager-provider:"Blind Trust" \
--set authorization-method:rebind \
--set verify-credentials-method:bind-on-existing-connections \
--set max-connection-age:5m \
--set health-check-pooled-connections:true
dsconfig create-load-balancing-algorithm --algorithm-name AD-LBA \
--type fewest-operations \
--set enabled:true \
--set backend-server:AD-SRV1 \
--set backend-server:AD-SRV2 \
--set use-location:false
dsconfig create-request-processor --processor-name AD-Proxy --type proxying \
--set load-balancing-algorithm:AD-LBA
dsconfig create-subtree-view --view-name AD-View \
--set base-dn:dc=dom-ad2,dc=local \
--set request-processor:AD-Proxy
dsconfig set-client-connection-policy-prop --policy-name default \
--set subtree-view:AD-View