Configuring an Active Directory Server back-end
To configure an Active Directory (AD) server backend, run a dsconfig
script.
The following settings are required for an Active Directory server:
-
verify-credentials-method:bind-on-existing-connections
andauthorization-method:rebind
Active Directory does not support
proxy-as
. Existing connections must be reused. -
set max-connection-age:5m
andhealth-check-pooled-connections:true
Active Directory drops idle connections after 15 minutes. The proxy must refresh the connection pool in a shorter interval.
Example
The following example dsconfig
script configures two Active Directory servers, AD-SRV1 and AD-SRV2.
dsconfig set-ldap-health-check-prop --check-name "Consume Admin Alerts" \ --reset use-for-all-servers dsconfig set-trust-manager-provider-prop \ --provider-name "Blind Trust" \ --set enabled:true dsconfig create-external-server --server-name AD-SRV1 --type active-directory \ --set server-host-name:example.server \ --set server-port:636 \ --set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \ --set password:password --set connection-security:ssl \ --set key-manager-provider:Null --set trust-manager-provider:"Blind Trust" \ --set authorization-method:rebind \ --set verify-credentials-method:bind-on-existing-connections \ --set max-connection-age:5m \ --set health-check-pooled-connections:true dsconfig create-external-server --server-name AD-SRV2 --type active-directory \ --set server-host-name:example.server \ --set server-port:636 \ --set bind-dn:cn=ProxyUser,dc=dom-ad2,dc=local \ --set password:password \ --set connection-security:ssl \ --set key-manager-provider:Null \ --set trust-manager-provider:"Blind Trust" \ --set authorization-method:rebind \ --set verify-credentials-method:bind-on-existing-connections \ --set max-connection-age:5m \ --set health-check-pooled-connections:true dsconfig create-load-balancing-algorithm --algorithm-name AD-LBA \ --type fewest-operations \ --set enabled:true \ --set backend-server:AD-SRV1 \ --set backend-server:AD-SRV2 \ --set use-location:false dsconfig create-request-processor --processor-name AD-Proxy --type proxying \ --set load-balancing-algorithm:AD-LBA dsconfig create-subtree-view --view-name AD-View \ --set base-dn:dc=dom-ad2,dc=local \ --set request-processor:AD-Proxy dsconfig set-client-connection-policy-prop --policy-name default \ --set subtree-view:AD-View