Hello,
recently I configured the portal to use the primary ADS as read-only LDAP server using the configuration file "dataSourceConfiguration_ads_readonly_db_with_krb5.xml". Additionally I configured spnego to validate kerberos tickets.
Here are the steps I did:
1. created the user j2ee-j2e-SID on the primary ADS and configured DES, no PW change and no PW expiry.
2. ktpass -printc ....... to generate the keytab
3. setspn -A http/hostname...... to register the SPN
4. uploaded and changed to "dataSourceConfiguration_ads_readonly_db_with_krb5.xml"
5. configured LDAP details using the j2ee user from step 1
6. added the 3 attributes to com.sap.security.core.ume.service
7. restart
8. stared the spnego wizard and completed all steps succsessfully
9. restart
10. adjusted the ticket login stack to use spnego as template
11. configured the client browser
Now I am able to login using the ADS user credentials and the Kerberos authentication is working as well.
However, now I realised that there is another LDAP server available as backup ADS, its syncronised from the primary ADS that the portal is using.
I found a lot documenation about multiple ADS using "dataSourceConfiguration_multiple_ads_readonly_db_with_krb5.xml" and have the feeling that this would be the right coice if we have different ADS servers from different domains.
What should I do now to connect the Portal to the backup ADS server in case that the primary ADS server is not available? Is it possible to use the already existing configuration or do I have to start from scratch?
Is it possible simply to add a second entry into the field "servername" of the "UME ldap data" area in the configtool, separated with a comma? Or are there other options to connect to the second ADS using the same credentials configured above?
Any help is much appreciated and I will reward points of course.
Thanks and regards,
Enno
