webNetwork needs to be able to connect to all LDAP registered DCs
Issue
Why does webNetwork need to be able to talk to a DC that is not on our local network?
Solution
Please see the following article for a complete description on how AD LDAP works:
I've copied the two important pieces from the article:
- Finding a Server
Discusses how when an LDAP enabled DC starts up, it registers itself as being an available LDAP server
- LDAP Referrals
Discusses how referrals work, which is where we run into an issue with webNetwork. When an LDAP enabled DC refers the webNetwork server to another LDAP enabled DC, it will use any one of the DCs that are registered as providing LDAP.
- Finding a Server
The first step that a directory client must take in conducting an Active Directory search is to find an LDAP directory server (in other words, a domain controller) to search against. To find a domain controller, directory clients rely on DNS. When a domain controller starts up, it registers service (SRV) records in DNS that indicate that the domain controller provides LDAP directory services. To locate a domain controller, a directory client performs a DNS query for SRV records of hosts that provide LDAP directory services. For more information about how DNS is used to locate domain controllers, see “DNS Support for Active Directory Technical Reference.”
- LDAP Referrals
When a requested object exists in the directory but is not present on the contacted domain controller, resolution of the object name depends on information that is stored on that domain controller about how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller.
In its Configuration container, every domain controller has information about the other domains in the forest. The objects in cn=Partitions,cn=Configuration,dc=ForestRootDomain are cross-reference objects that contain information that Active Directory uses to construct the directory tree hierarchy. When an operation in Active Directory requires action on objects that might exist in the forest but that are not located in the particular domain that is stored on a domain controller, that domain controller must send the client a message that describes where to continue this action — that is, the client is “referred” to a domain controller that is presumed to hold the requested object.
An LDAP referral is a domain controller’s way of indicating to a client application that the domain controller does not have a copy of a requested object (or, more precisely, that the domain controller does not hold the section of the directory tree where that object would be if, in fact, it exists) and of providing the client with a name of a server that is more likely to hold the object. The client uses the name of the server that is provided in the LDAP referral as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that does indeed hold the object. However, it is possible for the referred-to domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client that the object does not exist. Active Directory returns referrals in accordance with RFC 2251.
Clients do not have to know the name or location of a child domain to contact a domain controller in that domain. They can query the root domain and reach the appropriate domain controller by being referred there. Two situations generate this type of domain controller response:
An external referral, in which the base distinguished name of the requested object is not in this directory, but the domain controller holds information about another LDAP directory where the requested object might be found.
A subordinate referral, in which the base distinguished name of the requested object is in this directory, but the directory partition that contains the requested object is not stored locally.
Every domain controller contains information about how the directory is partitioned, and this information can be used in conjunction with DNS to find the Active Directory domain that contains a particular object.
The root issue for webNetwork, is how AD handles the LDAP referrals between the DCs.
- The DC webNetwork is configured to talk to can, and will, tell the webNetwork server to connect to another DC to look for what it wants.
- The DC will pick another DC that is registered as an LDAP enabled DC and tell webNetwork to connect to it.
- Since all LDAP enabled DCs are registered, the DC can, and will, tell the webNetwork server to connect to one that could be malfunctioning, down, or purposely isolated from the webNetwork server.
Thus the only options are:
- Allow the webNetwork loaders to connect to the DC.
- Disable LDAP referrals on the DC webNetwork connects to. This requires the DC to have copies of all objects on it.
- Remove LDAP from the DC.
- Completely remove the DC.
Keywords: Active Directory, AD, DC, Domain Controller, Failover
Can't find the KB
Unable to find the KB to address your issue ?
Recent Articles
Lenovo Unified Workspace End-of-Life Questions and Answers
Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...
How do I determine my Unified Workspace license expiration date?
The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...
Lenovo Unified Workspace 7.0.2.13 Released
Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...
LanSchool Documentation Guides
LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...
Lenovo Unified Workspace 7.0.1.41 Released
Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...
Related Articles
User not able to change password in Unified Workspace
How to enable Change Password debug, when having trouble with users not being able to change, or reset, their password in Unified Workspace. The Change Password debug needs to be enabled on the server that connects to your directory. You may know ...
LDAP Error Codes
AcceptSecurityContext error, data 52e means "bad password" AcceptSecurityContext error, data 525 means "bad user name" AcceptSecurityContext error, data 773 means "password expiring" or similar. Standard error codes Standard LDAP errors Error / data ...
How webNetwork authenticates against LDAP / AD / eDirectory
webNetwork uses LDAP to talk to Microsoft Active Directory and Novell eDirectory. It will do a search and the FIRST entry that matches is returned and the password supplied it tried against that user object. webNetwork does not store the users ...
LDAP Response Read Timed Out
Issue After upgrading to 6.4.7.x, customer is experiencing various LDAP timeouts. One example: unable to search for user's to add to link/tile objects from webAdmin's Link-Menu Admin interface. Two seconds after clicking the search button, a stack ...
Move webNetwork to different server
*** If you are moving to a different OS, please see : https://helpdesk.lenovosoftware.com/portal/kb/articles/migrate-webnetwork-to-windows-linux-22-8-2017 *** Keeping the same OS / version / IP As long as you are keeping the same OS/ version/IP then ...