Integration with Active Directory in HA mode

To implement an alternative URL (Domain Controller) for Active Directory, perform the following:

  1. Open for edit $PAM_HOME/web/conf/server.xml. Find PAM AD REALM section there end add this property to Realm configuration: alternateURL="${ldap.alt}"
  2. The updated realm specification will look like on the exhibition below:

    Copy
    <Realm
               className="com.pam.config.JNDIRealmEncrypted" 
               debug="99"
               connectionURL="${ldap.url}"
               alternateURL="${ldap.alt}"
               authentication="simple"
               referrals="follow"
               connectionName="${ldap.managerDn}"
               connectionPassword="${ldap.managerPassword}" 
               userSearch="${ldap.authn.searchFilter}"
               userBase="${ldap.baseDn}" 
               userSubtree="true"
               roleSearch="${ldap.roleSearch}" 
               roleName="${ldap.roleName}" 
               roleSubtree="true"
               roleBase="${ldap.roleBase}" 
    />

    Result will be similar to this screenshot:

    Help-Integration-with-AD01.png

  3. Open $PAM_HOME/web/conf/catalina.properties. Search for MS AD configuration section and add the following line replacing ALTERNATE-LDAP-URL with your alternate AD URL:

      ldap.alt=ALTERNATE-LDAP-URL

      Copy
      ldap.alt=ldaps://dc2.somedomain.local:636

      Help-Integration-with-AD02.png

      Search for cas.authn.ldap[1] properties group. For deployments using Federated Sign-In component list alternative LDAP URLs space separated in cas.authn.ldap[1].ldapUrl. This property accepts space separated list of domain controllers add necessary controllers there.

      Edit parameter like in the example below:

      Copy
      cas.authn.ldap[1].ldapUrl=ldaps://dc1.domain.local:636 
      ldaps://dc2.domain.local:636

       

      Help-Integration-with-AD03.png

  4. Ensure that there are no trailing spaces in properties values. Save and close both files.
  5. Import certificates from all domain controllers to PAM local java keystore on all PAM nodes using PAM CLI Utility PamDirectory SSLImport command. This can be done by issuing followed command from ($PAM_HOME) location:
  6. Copy
    bin/PamDirectory.sh sslimport dc1.somedomain.local 636

  7. Restart PamManagment (pammanager for Linux).

cas.authn.ldap is for CAS authentication (forms based auth and sso).