Page created: 22 Jul 2020
|
Page updated: 12 Dec 2022
Configuring an Active Directory server back-end requires a
dsconfig script. The following settings are required for an
Active Directory server:
-
verify-credentials-method:bind-on-existing-connections,
and authorization-method:rebind
Active Directory does not support proxy-as. Existing connections must be reused.
-
set max-connection-age:5m, and health-check-pooled-connections:true
Active Directory drops idle connections after 15 minutes. The proxy needs to refresh the connection pool in a shorter interval.
The following example dsconfig script configures two Active Directory servers (AD-SRV1 and AD-SRV2).
dsconfig set-ldap-health-check-prop --check-name "Consume Admin Alerts" \ --reset use-for-all-servers dsconfig set-trust-manager-provider-prop \ --provider-name "Blind Trust" \ --set enabled:true dsconfig create-external-server --server-name AD-SRV1 --type active-directory \ --set server-host-name:example.server \ --set server-port:636 \ --set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \ --set password:password --set connection-security:ssl \ --set key-manager-provider:Null --set trust-manager-provider:"Blind Trust" \ --set authorization-method:rebind \ --set verify-credentials-method:bind-on-existing-connections \ --set max-connection-age:5m \ --set health-check-pooled-connections:true dsconfig create-external-server --server-name AD-SRV2 --type active-directory \ --set server-host-name:example.server \ --set server-port:636 \ --set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \ --set password:password \ --set connection-security:ssl \ --set key-manager-provider:Null \ --set trust-manager-provider:"Blind Trust" \ --set authorization-method:rebind \ --set verify-credentials-method:bind-on-existing-connections \ --set max-connection-age:5m \ --set health-check-pooled-connections:true dsconfig create-load-balancing-algorithm --algorithm-name AD-LBA \ --type fewest-operations \ --set enabled:true \ --set backend-server:AD-SRV1 \ --set backend-server:AD-SRV2 \ --set use-location:false dsconfig create-request-processor --processor-name AD-Proxy --type proxying \ --set load-balancing-algorithm:AD-LBA dsconfig create-subtree-view --view-name AD-View \ --set base-dn:dc=dom-ad2,dc=local \ --set request-processor:AD-Proxy dsconfig set-client-connection-policy-prop --policy-name default \ --set subtree-view:AD-View