Wondered if there is a best way to switch the Auth Server. Ours has been using Active Directory/Windows NT for quite some time but want to leverage LDAP. I know that the drop down exists to switch but then tells you to confirm that it may break things.
Does it in fact break things? Would I need to manually go back and link the Role Mapping back to the correct group?
If you are making the change on the realm, I would advise against this. My recommendation would be to create a new realm and role mapping for ldap. This will give you the option to switch between the two configuration if there is any issues with LDAP. The main reason is role mapping using group lookup are different between AD vs LDAP.
Another thing to consider are the user records stored on the AD auth server. Did you allow custom bookmarks to be stored by the end user? If this is the case, you will need to utilize user record sync to move the user records between AD and LDAP. If this is not performed, end user will lose their custom bookmarks.
The ease or difficulty of changing an authentication server is going to depend on how you use it beyond simple authentication.
In addition to what Kita pointed our, you also need to be aware of any attributes, expressions or groups you may have defined for use in role mapping, etc. as these are part of the server catalog for that specific authentication server.
At the very least, setup a test realm with the same role mapping rules that uses the new authentication server to make sure you fully understand the impact any changes you make to the production realm will have in your specific environment.
My initial plan was going to be to duplicate my primary realm and test switching the authentication but doesn't sound like that would work the way I was expecting.
Sounds like the best route is to spin up a new empty realm and create all the role mappings from scratch to have a clean setup. Was hoping by chance this would be an easy one but sounds like I could end up with more issues without starting fresh.