cancel
Showing results for 
Search instead for 
Did you mean: 

User records while migration from LDAP to AD Auth. servers

Highlighted
Occasional Contributor

User records while migration from LDAP to AD Auth. servers

Dear all,

 

As per Juniper documentaiton, User records contain all persistent cookies, SSO information, personal bookmarks, and other resource preferences for a particular user on the SA Series device. User Records are stored on each respective SA Authentication server instance created on the SA (Authentication > Auth. Servers > Users Tab). 

 

Now, how can i retrieve the user records, especially Persona Bookmarks,  while migrating the authentication servers from LDAP to AD? By default, the personal bookmarks are lost during such migration. I need new a way to keep user records after the migraiton.

 

Thank you in advance for your feedback,

Laurent

10 REPLIES 10
Highlighted
Valued Contributor

Re: User records while migration from LDAP to AD Auth. servers

Failover is not needed.  The configuration is to configure URS to point to each other.  For example,

Node 1:

Configured for server/client

This client: Primary Server=node2

This server: Peer&Client=node2

Node 2:

Same configuration, but point them to node 1.

Ensure you set the Enable User Record Sync on each Authentication Server with the same name or the setting above will not do anything.

Highlighted
Valued Contributor

Re: User records while migration from LDAP to AD Auth. servers

What software version are you running?

Highlighted
Occasional Contributor

Re: User records while migration from LDAP to AD Auth. servers

Hi Kita

 

Our version is 7.2R4

 

Thank you in advance

Laurent

 

 

Highlighted
Frequent Contributor

Re: User records while migration from LDAP to AD Auth. servers

Highlighted
Respected Contributor

Re: User records while migration from LDAP to AD Auth. servers

It is not possible to move user records between different authentication server types on the same physical server.
Highlighted
Valued Contributor

Re: User records while migration from LDAP to AD Auth. servers

User record sync is only supported to work between two different standalone devices or two different clusters.  If you have two separate standalone devices, this may be a possible solution.  

 

You can attempt to enable user record sync in the same device, end user will see an message "Retrieving user record is in progress. Any modifications to bookmarks and preferences will be overwritten when the record is retrieved" and produce a failure message.  I did notice the user create bookmarks will be transferred, but it is unclear if all data within the user record is transferred properly.  In the end, this method is not supported and should be used at your own risk.

Highlighted
Valued Contributor

Re: User records while migration from LDAP to AD Auth. servers

I did more testing and this solution seems to work in a standalone environment.  If user record sync is enabled, you can make this a "client and server" and configured the device to itself.

 

However, I did have some issues with this configuration within a cluster environment.  This is where I would receive the error message stated in the previous comment.  I was able to work around this by making both nodes in the cluster as a "client and server" and point to each other instead of itself.

Highlighted
Occasional Contributor

Re: User records while migration from LDAP to AD Auth. servers

Hi Kita,

 

Thank you for the feedback and tests.

 

1. Do you have the screen captures for this setup within a cluster?

2. Did you configure both cluster members as "Client and Server" function? pointing to each other as Peer Servers or Client pointing to Server?

3. Do you have to do a manual synchronization (export>import) or is it automatic?

 

Thank you in advance,

Laurent

Highlighted
Valued Contributor

Re: User records while migration from LDAP to AD Auth. servers

Yes, both nodes need to be configured as client/server and they need to be pointed to each other as Peer and Client..  A manual sync is not required.  When each user logs it, it will run the user record sync and grab the necessary data from each other to ensure all the data is the same on each node.