- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-05-2017 01:50 AM
Hi. Whenever I clone our prod instance over another sub-prod instance, the AD account that allows LDAP authentication gets locked out. This means no one can log in, alarm bells ring at Service Now, people start shouting at me. How can I prevent this from happening? I assume I need to add a table to the Exclude Table list - maybe the ldap_server_config table?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-05-2017 03:10 AM
Hello Wayne,
Your understanding is correct. You need to add an entry in your exclude table list for ldap_server_config table. In absence of this, all your LDAP configurations are also cloned to your target non-production instance. And, you know there are scheduled job stuffs performing various actions including the LDAP heartbeat check as well. Now that the LDAP server is specific to your PROD only therefore, when such jobs trying to access your PROD LDAP server they don't authenticate. There are some rules defined on AD side which locks your LDAP Server login account after certain failure attempts. And, this is exactly what happened in your case.
Therefore, please add an entry in your exclude table list for ldap_server_config table and you have a permanent fix!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-05-2017 02:28 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-05-2017 03:10 AM
Hello Wayne,
Your understanding is correct. You need to add an entry in your exclude table list for ldap_server_config table. In absence of this, all your LDAP configurations are also cloned to your target non-production instance. And, you know there are scheduled job stuffs performing various actions including the LDAP heartbeat check as well. Now that the LDAP server is specific to your PROD only therefore, when such jobs trying to access your PROD LDAP server they don't authenticate. There are some rules defined on AD side which locks your LDAP Server login account after certain failure attempts. And, this is exactly what happened in your case.
Therefore, please add an entry in your exclude table list for ldap_server_config table and you have a permanent fix!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-05-2017 03:51 AM
Cheers LK, that's just the confirmation I needed buddy, thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2018 01:50 AM
Hi Wayne,
We had added a record to exclude ldap_server_config table in the exclude tables list, still post cloning the account got locked. Do we need to do anything else apart from this?
Thanks,
Prajakta
