How to configure secondary LDAP server -- ERROR domain is already set on server (primary)
I am having trouble setting up a secondary LDAP server in a TZ300W running 6.5.4.8-89n. I am getting the error message, Error: LDAP user domain: Domain xxyy.com on server 2.3.4.5 is already set on server 1.2.3.4
LDAP to the primary server works. The "Connectivity/bind test" and the "User Authentication Test" are good. The directory configuration defines xxyy.com.
LDAP to the secondary server works ONLY for the Connectivity/bind test. The User Authentication Test generates "LDAP Configuration Error". The failure is expected since no directory is specified in the server definition.
The production 3650s which were initially configured with version 5.x to 6.2 to 6.5 work correctly and DO specify the domain and search entries in both the primary and secondary LDAP servers.
What needs to be set or changed to specify two working LDAP servers?
Thanks
Best Answer
-
GMP Newbie ✭
The solution is to specify the second LDAP server as a backup server. Here is the text from Technical Support
In regards to your questions, the error you are getting is expected. A secondary LDAP refers to a separate domain where authentication will also be done and in most cases will work in together with Authentication Partitioning. To set up a second LDAP server that is for the same domain, you will have to assign it as a Backup / Replica Server. Through the GUI you will see the radio option under the Settings tab, through the CLI after your server x.x.x.x command you will issue the role backup command
After I updated my server, the server definitions were the following.
server 1.2.3.4 enable role primary ... directory primary-domain mycompany.com users-tree mycompany.com/MyCompany users-tree mycompany.com/ user-groups-tree mycompany.com/MyCompany user-groups-tree mycompany.com/ exit server 2.3.4.5 enable role secondary port 636 timeout server 10 timeout operation 5 use-tls no send-start-tls-request
So the solution is Specify 'backup server'.
I am not going to change the running NSa3650 SonicWalls. (They are working, reliable, solid systems.)
Thanks for you help
Greg
0
Answers
Did you specify the second server as the 'Secondary LDAP server' using the radio button?
Hi @GMP ,
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
Thank you, TKWITS and NEVYADITHA for your responses.
I am specifying the second server as secondary. The GUI allows only one interface to be specified as Primary. Also, Allow Referrals is set.
To check my work, I have made the "user ldap" configuration of the TZ300W identical to the working NSA3650 configuration. The beginning sections and the configuration of the first/primary server are identical. I compared the configuration through the command, "show user ldap", saving the response, and running diff against the two text files.
In the TZ300W, the "user ldap" section from the beginning through the end of "server 1.2.3.4" is identical. I also made the configuration of "server 2.3.4.5" match, except for the directory setting. The text, below shows the error message when I try to commit the identical directory setting in the secondary as is in the primary.
Is there a licensing difference where NSa3650 can reference 2 ldap servers, but TZ300W can reference only 1 ldap server?
I have done a stare and compare of the "show user ldap" sections of the working NSa3650s and the failing TZ300W configuration.
Here are the relevant sections of the working NSA3650 section, "user ldap". (I have used mycompany phrases to disguise the actual phrases.)
I look forward to further advice to have a working primary and a working secondary ldap server.
Thank you
Greg
Does it produce the same error in the Web UI?
Thank you, TKWIRA. The error message is identical via the web interface or via the ssh interface.
Good Question. I tried to see if the ssh interface worked differently vs. the web interface. Both are the same.
Greg