I have a requirement to change the server that the ACS Appliance( 2 x running primary / secondary) (5.2) using as an external identity store. I previously changed the server Host name under External Identity Stores\LDAP\ Server connection Tab. The issue was that when I performed a test bind it was successful BUT under the Directory Groups Tab I lost the Group name entries - only recovering them as I exited the config without saving anything.
So my question is how do I change the server connection and re instate the directory Group list ? There are a number of entries and I need them all back in with minimal disruption to the network. There must be an easier way than entering them all manually ?
Any changes in server connection like ip or credential would not be allowed unless you remove all the refrences from the ACS config because the connection is built based on that information.
However, you can create more than one LDAP instance in ACS 5.2. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server.
Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP identity store instance.
ACS 5.3 does not require that each LDAP instance correspond to a unique LDAP database. You can have more than one LDAP instance set to access the same database.
This one confused me. I tried the same steps that you described of changing the server host name but in doing that did not lose any other configration and do not see why groups would disappear from doing this
Correct. Even I recreated the same behaviour in my lab with manual and AD groups and after changing the hostname/ip address, all groups remain intact there without any lose of configuration.
But logically didn't it flush the group configuration because that actually came up from the server connection we used. Since the connection is no more up, it should clear the group information or should give a pop up on the screen that, please delete or unselect the groups before you make changes in ldap server connection.
The groups are not repopulated when the connection to the new server is eastablished. Groups are not learned but are added by the adminitstrator; either by entering the group information manually or by seelcting from the list of groups that can be retrieved from the server.
I found the follwoing bug that relates to this issue.
CSCty73174 - groups are deleted if the test bind is checked for secondary ldap server
The workaround for this is as follows:
- change the server Host name and then save the configuration
- issue the "Test Bind" and when completes select Cancel so that do not try and save the data with an empty list of groups
Most important is not to save changes after performing the test bind operation on the secondary server
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...