In the Bind User field I use the following: For AREA LDAP I use the domain\user format: DOMAIN\login For ARDBC LDAP I use the Distinguished Name format: CN=login,OU=Domain Groups,DC=domain,DC=company,DC=com
You may need to create your own process anyway depending on the number of results (page size) allowed in their AD. Fred -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jason Lander Sent: Tuesday, February 15, 2011 4:12 PM To: [email protected] Subject: ARDBC LDAP Config with AD Using Kerberos Authentication ** Hi All, I am configuring ARDBC LDAP for a client who wants to sync their AD People/Location data with People/Sites in Remedy on a daily basis. Normally this would be very easy. However, it turns out (after much head scratching as to why I wasn't getting any results) that the client is using Kerberos on their AD server. This means that the Simple bind (ldap_simple_bind which is username and password only) cannot be used. Instead it needs to use the SSPI bind (ldap_bind) which allows the use of a domain name in the bind (necessary for Kerberos). Oddly enough, the ldap_simple_bind will connect and you can see the root tree just none of the child objects, hence why the LDAP plug-in displayed no errors but just wouldn't return any results! I assume this is just the way it's configured at the client. But it would have been handy to have had an error from the frickin start! It appears that BMC does not support any other protocol other than Simple binds (see https://kb.bmc.com/infocenter/index?page=content&id=KA288365&actp=search&viewlocale=en_US&searchid=1297721889169). This means I can't connect to the client's AD server...period. Has anyone else come across this problem? If so, what did you do to get around it? Some alternative options, just of the top of my head, could be: . Use a physical extract from AD (exported daily). They don't have AIE so I'd need to create the import process; or . Create a view over some other database table which has access to AD and chuck a View Form over it; or . Is it possible to create a view in AD of just the objects I need access to (with standard security)? I've also asked the Client to find this out; or . <insert another suggestion here> Appreciate your thoughts on this. FYI: Client is running AR System 7.1 P5. Cheers, Jason _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
