CA Service Management

 View Only
  • 1.  EEM multiple LDAP

    Posted Jan 31, 2018 12:39 PM

    I have my EEM (used for user valitation in CA SDM, Catalog, USS and ITPAM) configured to access multiple remote active directories (I have multiple AD because we use SDM in multi tenancy configuration).

    The access to the multiple Active Directories are via vpn access configured in the EEM server to the varios ADs that I need to access.

    Other day noone are able to log to the applications (SDM returned a login timeout error) and after login to EEM server (the same server that has SDM and USS installed), I´m not able to log to EEM interface.

    I´m suspecting that a instability with one of out AD access caused the problem.

    After a coupe of minutes, the EEM are responsible again and all can log again in the applications.

    My suspicious of unavailability of one AD can cause this kind of instability in EEM access?

    If yes, there are some configuration that can be done to prevent this?



  • 2.  Re: EEM multiple LDAP
    Best Answer

    Broadcom Employee
    Posted Feb 01, 2018 02:39 AM

    Good Morning paulo.

    As per your explanation "unavailability of one AD can cause this kind of instability in EEM".
    Yes, that could be true. However, I've seen this happening only once, and a while ago.

    For the current release of EEM, I am unaware of any 'test' functionality to see whether all ADs can be connected to.
    To perform some kind of 'health check' when you like.

    Perhaps other member(s) of this community can shine their light on this subject?

    Thanks and kind regards, Louis van Amelsfort.



  • 3.  Re: EEM multiple LDAP

    Posted Feb 01, 2018 08:02 AM

    Today I discovered that my EEM 12.51 is not in the last version.

    I will try to update to version CR4 and see if something changes in this behavior.



  • 4.  Re: EEM multiple LDAP

    Broadcom Employee
    Posted Feb 01, 2018 11:12 AM

    Hi Paulo,

     

    I have raised a question once about EEM having multiple domains versus slowness when any of them are out of order for some reason, and the answer I got is below. Check if this could be useful in your case.

     

    "I assume that the customer is using "Multiple Microsoft Active Directory Domains" User Store configuration of EEM. If that is the case, you will be configuring each DC as a domain in EEM. After this configuration, you are supposed to use the usernames and the group names qualified with the domain name (principal name).

     

    Say, User1 is in Domain1 and User2 is in Domain2. If you need to authenticate User1, you need to use Domain1\User1 as the user name. And similarly Domain2\User2 for User2. If you do not qualify the username with the domain name, then EEM has to search all the domains configured with EEM to get the DN of the user for the authentication/ldap-bind. As a result, you might experience slowness. And if there is any problem with one of the DCs, situation could be much worse.

     

     

    This is applicable even for the Application instance's policies as well. All the policies must be defined with the domain qualified usernames and group names. But not the plain usernames or group names."

     

    Regards,

    Roberto



  • 5.  Re: EEM multiple LDAP

    Posted Feb 01, 2018 11:36 AM

    In my case I´m not using domain names, but email_address of respective users.