0
Answered

Assistance with configuring LDAP Directory Agent

Bob Bradley 12 years ago updated by anonymous 9 years ago 8

I have an instance of ADAM running on the legacy ILM server which is required to be retained in the new FIM configuration where FIM Sync is a remote Win2008 server. FIM Sync can perform read/write actions to this instance of ADAM, and I can perform LDAP binds using LDP.EXE in the context of a specified service account TESTINTERNAL\miisadamsvc.
However when I create an EvB agent for this ADAM service the following error is always shown in the EvB logs:

The test of Agent Legacy ADAM (73063509-8fdd-436c-8855-d0525dbb2ff1) failed with message:
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
at Unify.Product.EventBroker.OpenLDAPAgent.TestConnection()
at Unify.Product.EventBroker.AgentEngine.Notify(ITestAgentConnectionMessage message)

Parameters set are as follows:
Name: Legacy ADAM
Server: act01ilm01.testinternal.govt/DC=deh,DC=gov,DC=au (I have tried just with the server but that fails, and the working codeless framework requires this full instance path so I figure this should too)
Authentication: Negotiate (I have tried Basic and all other options)
Username: TESTINTERNAL\miisadamsvc

Remote LDP binding with the same user from the EvB server as above works fine:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
	{NtAuthIdentity: User='miisadamsvc'; Pwd=<unavailable>; domain = 'testinternal'}
Authenticated as: 'TESTINTERNAL\miisadamsvc'.
-----------

ADAMUtils.zip

Attached ADAM installer utility to assist troubleshooting while waiting for PG support

The problematic instance of ADAM is a legacy directory which was running as the default "network service", and I thought to eliminate the possibility of inheriting problems from this directory I would create a new ADAM instance. In particular I wanted to nominate the ADAM service account. However with a brand new ADAM instance which again I can bind to no problems using LDP, I can still not create a working EvB agent.

Hi Bob,

Are you able to try the [Active Directory Agent|EB300:Active Directory]? The two agents (and associated operations) use different underlying components, and the AD Agent is designed for AD, ADLSD and ADAM.

Thanks.

Thanks Adam - however that wasn't clear from the documentation here and I bet I am not the last to make this mistake . The LDAP one just seemed on face value (and going by the doco) to be a better fit. I suggest the doco might need a wee review ... e.g. something to say that it is for use with AD OR ADAM/ADLDS, as well as the help text for the "server" property to say something other than just "The full name of the server being connected to" (it also should say "... and optional port number, e.g. myserver:389 ...").

Oh - and I presume that the ADAM partition is deduced by the details specified on the connection tab. What was confusing is that I've only recently configured the codeless framework connection for the same ADAM instance, and the connection string had to be specified in full there, i.e. "act01ilm01.testinternal.govt:389/DC=deh,DC=gov,DC=au"

I've updated [EB300:Active Directory Changes] to also mention ADLDS and ADAM.

I'm not sure what underlying components in Codeless ILM Implementation Framework are doing, but I imagine they are very similar.

I seem to recall ADAM being quite particular with its settings. The easiest way is to make sure the connection works using ADSI Edit or LDP.exe (as mentioned [EB300:Active Directory Changes]).

I have created EB-554 for updating the hint for the Server setting.

Thanks Adam - yes I was using LDP.

Used alternative (Active Directory) agent for ADAM