Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Database Performance Analyzer (DPA) > Resolving AD/LDAP connection errors in DPA

Resolving AD/LDAP connection errors in DPA

Updated November 1st, 2017

Overview

If DPA is periodically producing errors connecting to AD/LDAP and you have multiple domain controllers, this article provides a temporary work-around until the domain administrator has resolved the issue.

This article applies to both Active Directory and other LDAP implementations.  AD and LDAP often use different terms to indicate the same thing, so for simplicity this article will use AD terminology.  So, for example, LDAP users should know that a “domain controller” means an LDAP Server in their environment.

Environment

  • DPA 11.1 and later

Cause

When you configure DPA with AD/LDAP, you configure it with either a domain or a specific domain controller. If you provide a domain, it will route DPA to a domain controller in your environment.  There have been cases when DPA is routed to an incorrect domain controller (for example, a machine that no longer exists or has been powered down). If this occurs, it could cause sporadic DPA login errors.

Resolution

Work with the domain administrator to resolve the root cause of the connectivity issues.

In the meantime, the following work-arounds could provide a temporary solution:

  • Configure DPA with a specific domain controller
  • Configure DPA with redundant domain controllers

In most cases, DPA should be configured with a domain rather than a specific domain controller. Be sure to revert these changes when the domain administrator has resolved the issue with the domain.

Configure DPA with a Specific Domain Controller

If you suspect that your domain is periodically routing DPA to a bad domain controller, resulting in periodic DPA login errors, you can configure a specific valid domain controller that you always want DPA to connect to. This can be done in one of the following ways:

  • Use DPA’s AD/LDAP Wizard to provide a specific domain controller, then restart DPA.
    or
  • On the DPA Server:
    1. Open the following file in a text editor:

      <DPA install dir>\iwc\tomcat\ignite_config\idc\system.properties

    2. Locate the following property:

      com.confio.security.ldap.serverUrl1=

    3. Enter the domain controller’s LDAP URL as the property value. For example:

      ldaps://10.200.10.200:1234 or ldaps://machine1:mycompany.local:1234

    4. Restart DPA.

Configure DPA with Multiple Redundant Domain Controllers

If your environment has multiple domain controllers that DPA can use, it may help to specify them instead of providing the domain. In this case, DPA will try to connect to each of your domain controllers until it gets a successful connection. (In contrast, the domain will route DPA to a single domain controller with no failover logic.) By default, DPA will make a 5 second attempt to connect to each DC (this default can be overridden, as described below).

DPA supports setting up to 5 domain controllers. You need to configure them manually, outside of the AD/LDAP wizard, as follows:

  1. On the DPA Server open the following file in a text editor:

    <DPA install dir>\iwc\tomcat\ignite_config\idc\system.properties

  2. Update/add the following properties with each domain controller’s LDAP URL:

    com.confio.security.ldap.serverUrl1=
    com.confio.security.ldap.serverUrl2=
    com.confio.security.ldap.serverUrl3=

  3. Restart DPA.

Adjusting AD/LDAP Connection Properties

DPA uses default AD/LDAP connection settings. In some cases, you may want to override the default values to suit your needs. The properties are listed below and can be updated by editing the system.properties file (as described above) and restarting DPA.

You might not need to override the property defaults. However, the most likely one that you will override is the connection timeout (com.confio.security.ldap.connect.timeout) when you have specified multiple redundant domain controllers, and you want to lower the overall DPA login time taken when failovers occur.

com.confio.security.ldap.connect.timeout=[TIMEOUT IN MS]

  • Set this to adjust the connection timeout in milliseconds (default is 5000). If the LDAP provider cannot establish a connection within that period, it aborts the connection attempt.
  • The value should be an integer greater than zero. If the value is less than or equal to zero, the timeout value for the network protocol (i.e., TCP) is used.

com.confio.security.ldap.read.timeout=[TIMEOUT IN MS]

  • Set this to adjust the read timeout in milliseconds (default is 0). If the LDAP provider cannot get an LDAP response within that period, it aborts the read attempt.
  • The value should be an integer greater than zero. If the value is less than or equal to zero, no read timeout is specified which is equivalent to waiting for the response infinitely until it is received.

com.confio.security.ldap.connect.pool=[true/false]

  • Use this to specify that a pooled connection should be used when creating the initial context instance (default is “true”).
  • If its value is "true", the provider will use a pooled connection if the parameters for creating a connection (referred to as the connection request) meet the criteria set forth by the connection pool configuration. If this property has not been set, or if it has been set to any other value, or if the connection request does not meet the criteria, the provider will not use a pooled connection.

com.confio.security.ldap.connect.pool.timeout=[TIMEOUT IN MS]

  • Set this to adjust how many milliseconds an idle connection may remain in the pool without being closed and removed from the pool (default is 0).
  • The value should be an integer greater than 0. A value less than or equal to zero means no timeout is specified.

 

Last modified

Tags

Classifications

Public