How to configure secondary LDAP server -- ERROR domain is already set on server (primary)

GMP · October 2021

I am having trouble setting up a secondary LDAP server in a TZ300W running 6.5.4.8-89n. I am getting the error message, Error: LDAP user domain: Domain xxyy.com on server 2.3.4.5 is already set on server 1.2.3.4

LDAP to the primary server works. The "Connectivity/bind test" and the "User Authentication Test" are good. The directory configuration defines xxyy.com.

LDAP to the secondary server works ONLY for the Connectivity/bind test. The User Authentication Test generates "LDAP Configuration Error". The failure is expected since no directory is specified in the server definition.

The production 3650s which were initially configured with version 5.x to 6.2 to 6.5 work correctly and DO specify the domain and search entries in both the primary and secondary LDAP servers.

What needs to be set or changed to specify two working LDAP servers?

Thanks

GMP · October 2021

The solution is to specify the second LDAP server as a backup server. Here is the text from Technical Support

In regards to your questions, the error you are getting is expected. A secondary LDAP refers to a separate domain where authentication will also be done and in most cases will work in together with Authentication Partitioning. To set up a second LDAP server that is for the same domain, you will have to assign it as a Backup / Replica Server. Through the GUI you will see the radio option under the Settings tab, through the CLI after your server x.x.x.x command you will issue the role backup command

After I updated my server, the server definitions were the following.

server 1.2.3.4
    enable
    role primary
    ...
    directory
      primary-domain mycompany.com
      users-tree mycompany.com/MyCompany
      users-tree mycompany.com/
      user-groups-tree mycompany.com/MyCompany
      user-groups-tree mycompany.com/
      exit

  server 2.3.4.5
        enable
        role secondary
        port 636
        timeout server 10
        timeout operation 5
        use-tls
        no send-start-tls-request

So the solution is Specify 'backup server'.

I am not going to change the running NSa3650 SonicWalls. (They are working, reliable, solid systems.)

Thanks for you help

Greg

TKWITS · October 2021

Did you specify the second server as the 'Secondary LDAP server' using the radio button?

Nevyaditha · October 2021

Hi @GMP ,

Have you listed the domain under the Directory-> Trees E
Enabled the option Allow referrals – Select this option for SonicWall to search user information located on Domain B LDAP server

Thanks

GMP · October 2021

Thank you, TKWITS and NEVYADITHA for your responses.

I am specifying the second server as secondary. The GUI allows only one interface to be specified as Primary. Also, Allow Referrals is set.

To check my work, I have made the "user ldap" configuration of the TZ300W identical to the working NSA3650 configuration. The beginning sections and the configuration of the first/primary server are identical. I compared the configuration through the command, "show user ldap", saving the response, and running diff against the two text files.

In the TZ300W, the "user ldap" section from the beginning through the end of "server 1.2.3.4" is identical. I also made the configuration of "server 2.3.4.5" match, except for the directory setting. The text, below shows the error message when I try to commit the identical directory setting in the secondary as is in the primary.

.21meuser@TZ300W> configure
config(TZ300W)# user ldap
(config-user-ldap)# server 2.3.4.5
(edit-ldap-server[2.3.4.5])# directory
(edit-ldap-directory)#       primary-domain mycompany.com
(edit-ldap-directory)# commit
% Applying changes
...
% Error: LDAP user domain: Domain mycompany.com on server 2.3.4.5 is
         already set on server 1.2.3.4.
(edit-ldap-directory)#

Is there a licensing difference where NSa3650 can reference 2 ldap servers, but TZ300W can reference only 1 ldap server?

I have done a stare and compare of the "show user ldap" sections of the working NSa3650s and the failing TZ300W configuration.

Here are the relevant sections of the working NSA3650 section, "user ldap". (I have used mycompany phrases to disguise the actual phrases.)

NSA3650
user ldap
  protocol-version 3
  no require-valid-certificate
  no local-tls-certificate
  allow-referrals 
  no allow-references user-authentication
  allow-references auto-configuration
  allow-references domain-search
  allow-references other-search
  no local-users-only
  default-user-group "MYCOMPANY\\VPN User"
  no mirror-user-groups


server 1.2.3.4
    enable
    role primary
    ...
    directory
      primary-domain mycompany.com
      users-tree mycompany.com/MyCompany
      users-tree mycompany.com/
      user-groups-tree mycompany.com/MyCompany
      user-groups-tree mycompany.com/
      exit

  server 2.3.4.5
    enable
    role secondary
    ...

    directory
      primary-domain mycompany.com
      users-tree mycompany.com/MyCompany/
      user-groups-tree mycompany.com/MyCompany/
      exit

I look forward to further advice to have a working primary and a working secondary ldap server.

Thank you

Greg

TKWITS · October 2021

Does it produce the same error in the Web UI?

GMP · October 2021

Thank you, TKWIRA. The error message is identical via the web interface or via the ssh interface.

% Error: LDAP user domain: Domain mycompany.com on server 2.3.4.5 is
         already set on server 1.2.3.4.

Good Question. I tried to see if the ssh interface worked differently vs. the web interface. Both are the same.

Greg

Join the Conversation

How to configure secondary LDAP server -- ERROR domain is already set on server (primary)

Best Answer

Answers