7 Replies Latest reply on Jun 3, 2013 10:19 AM by Bill Robinson

    AD Integration with BBSA

      Hi,


      BBSA was installed and working with SRP authentication. Now AD is installed and provisioned with new domain usernames. All native windows user accounts require to be deleted across the network. What changes require to be done on RSCD accounts?


      Additionally, they have a constraint that every account password needs to be changed in every 45 days.

      What all modifications do I require to do? Shall I ask AD Admin for new keytab file with 'blauthsvc' account set to 'password never expires'?


      Regards,

      Gyan

        • 1. Re: AD Integration with BBSA
          Siddu angadi

          Hi Gyan,

           

          If you want your jobs to be executed by only AD account, Use Automation Principal.

           

          Thanks

          Siddu

          • 2. Re: AD Integration with BBSA
            Bill Robinson

            can you clarify what accounts you are talking about here?  you need to remove the BSA user login accounts ('SRP accounts') from the bladelogic database and ensure that your users are logging in using AD-enabled accounts?

             

            or you are trying to remove the local accounts on the target servers that you manage w/ bsa ?  eg the BladeLogicRSCD account - and want to make sure that you are using a domain account to communicate w/ your target servers ?

            • 3. Re: AD Integration with BBSA
              Joe Piotrowski

              I'm not fully understanding your question. BSA installation with SRP means all BSA users/passwords are stored in the BSA database.

               

              You state that "AD is installed and provisioned with new domain usernames. All native windows user accounts require to be deleted across the network. What changes require to be done on RSCD accounts?"

               

              If I'm understanding this correctly, nothing. Your BSA users and passwords are still stored in BSA. In Windows the RSCD Agent maps to a local administrator account, not any local user accounts. So removing local user accounts wouldn't impact BSA.

               

              If your scenario is something different, please elaborate. As Siddu stated, if you don't want to map to a local administrator account, you can use a domain service account. In BSA that's called an Automation Principal.

               

              As far as BSA users within BSA, you can set the password to expire after a certain amount of days.

              • 4. Re: AD Integration with BBSA

                Dear Joe,

                 

                There will be no local administrator or any local user account. So, only option left is to use a domain service account.

                 

                Regards,

                Gyan

                • 5. Re: AD Integration with BBSA

                  Dear Bill,

                   

                  AD will not allow any user login account on any server.

                   

                  We are trying to remove the local accounts on the target servers that we manage w/ bsa.  eg the BladeLogicRSCD account - and want to make sure that we are using a domain account to communicate w/ our target servers .

                   

                  Regards,

                  Gyan

                  • 6. Re: AD Integration with BBSA
                    Joe Piotrowski

                    Gyan - then you want to use an Automation Principle. Under RBAC Manager create a new AP, give it a Name and fill in the principal ID (account name), domain and password of the service account you're going to use.

                     

                    Then in your Roles, open your Role(s) and select the Agent ACL tab. Under Platform select the WINDOWS tab. Under Automation Principle select Map to and in the drop down menu select the AP you created.

                     

                    Depending on how you're using your users.local file, you may or may not have to run an ACL Push Job to your servers to populate the users file.

                    • 7. Re: AD Integration with BBSA
                      Bill Robinson

                      yes - you need to use the AP.  after you have the servers working w/ the AP you can use the 'chapw -d' command to remove the local BladeLogicRSCD accounts from your servers.

                      1 of 1 people found this helpful