0
Completed

Identity Broker Server IP Address Reassignment

Richard Courtenay 9 years ago updated by anonymous 9 years ago 4
Request

https://unifysolutions.jira.com/wiki/display/IDB50/LDAP+Configuration

In Identity Broker 5.X, if services on other servers need to contact Identity Broker you have to supply the servers IP address. I have the following questions:

a) The UI does not allow me to enter in another servers IP address, if I do this I get a message stating the IP is not valid in the current context. This is good. What happens however if the servers IP address was to be changed. Will Identity Broker pick this up and compensate when it's next restarted, will it fail to start or will something else happen?

b) Is there any reason this field can't take in the fully qualified domain name of the server? The FIM Administrators aren't likely to be network administrators, so ideally they could configure services with a higher level of granularity than an IP address (which they don't manage). 127.0.0.1 is ok for localhost as it's universal, anything else might cause issues based on the behaviour in question A.

c) As an extension of part b, could the field be removed outright? If traffic is to be restricted to localhost firewall rules could be used on the assigned port.

Task
  • Update documentation to let users know that IdB can be bound to any IP.
  • Make the any IP easier to configure on the UI
  • Consider offering ability to select the IP (or preferably the network adapter) (keep in mind this should come from the server and not studio)

The problem is the hostname can resolve to multiple addresses. Even on my local machine my hostname resolves to 8 IP's. Would some rule we could use to only pick up the desired one? Or would the use case be satisfied by binding to any of the IP's? I think you should be able to do this using 0 (or 0.0.0.0). If that works I can look at making this easier to do on the UI.

Thanks.

Would some rule we could use to only pick up the desired one? Or would the use case be satisfied by binding to any of the IP's?

I'm not sure what the ideal behaviour would be. Is there any precedence when it comes to connections to AD or in particular ADLDS? I imagine conforming to whatever they use would make sense? I admittedly haven't checked to see how they handle addressing.

0.0.0.0

Just tried that and was able to connect using the servers hostname from both a local and remote servers LDP session. I'll probably use that for now and see how things go.

Task
Update documentation to let users know that IdB can be bound to any IP.
Make the any IP easier to configure on the UI
Consider offering ability to select the IP (or preferably the network adapter)

Thanks for that, looks good

Migrated to VSO.