Switching between Active Directory adapters for Standalone Orchestrator

News Knowledge Base
1

How to switch between Active Directory Adapters?

Standalone Orchestrator supports two Active Directory Adapters

  • AD - Legacy adapter
  • LDAP - Default adapter from Orchestrator 21.10 onwards .


Determine Current Active Directory Adapter

  1. Run the below SQL query in the Orchestrator Database to determine the current Active Directory Adapter
SELECT dc.* from [identity].[DirectoryConnections] dc
JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId]
WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[IsDeleted]=0
  1. If [Type]='ad' then the ‘AD’ adapter is used, otherwise ([Type]='ldapad') the ‘ldapad’ Adapter is used.

Switching from LDAP/AD Adapter to AD Adapter

  1. Connect to Orchestrator database
  2. Run the following script
--
-- ldapad->ad conversion script
-- 1. Updates DirectoryId of AD users & groups
-- 2. Soft-deletes 'ldapad' directory connections
-- 3. Creates 'ad' directory connections if it does not exist
-- 4. Replace  below with the fully qualified name of the default/main domain.
--

-- convert users

IF OBJECT_ID('tempdb..#tmp_ldap_users') IS NOT NULL
DROP TABLE #tmp_ldap_users

SELECT [Id], [MasterPartitionId], CONCAT('ad', SUBSTRING([DirectoryId], 7, 256)) AS [DirectoryId] INTO #tmp_ldap_users
FROM [identity].[AspNetUsers]
WHERE [DirectoryId] LIKE 'ldapad|%' AND [IsDeleted]=0

--SELECT * FROM #tmp_ldap_users

DELETE tmp
FROM #tmp_ldap_users tmp
JOIN [identity].[AspNetUsers] u ON u.[MasterPartitionId]=tmp.[MasterPartitionId] AND u.[DirectoryId]=tmp.[DirectoryId]

--SELECT * FROM #tmp_ldap_users

UPDATE u
SET u.[DirectoryId]=tmp.[DirectoryId]
FROM [identity].[AspNetUsers] u
JOIN #tmp_ldap_users tmp on tmp.[Id]=u.[Id]

-- create 'ad' directory connection

DECLARE @HostPartitionId int-- host partition id
SELECT @HostPartitionId = [Id] FROM [identity].[Partitions] WHERE [GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D'

UPDATE [identity].[DirectoryConnections] SET [IsDeleted]=1, [DeletionTime]=GETUTCDATE() WHERE [PartitionId]=@HostPartitionId AND [Type]='ldapad' and [IsDeleted]=0

SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [Type]='ad' and [IsDeleted]=0
IF @@ROWCOUNT=0
    INSERT INTO [identity].[DirectoryConnections] ([PartitionId], [Type], [CreationTime], [Configuration], [IsDeleted])
VALUES (@HostPartitionId, 'ad', GETUTCDATE(), '{ "Domain": "" }', 0)


SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [IsDeleted]=0

  1. Restart the Identity application pool i.e. running IISReset from an elevated prompt
  2. Using AD adapter allows use of features such as domain filtering: Improve The Ad Domain Loading Performance.

Switching from AD to LDAP Adapter

  1. Disable ActiveDirectory integration in Orchestrator web portal
  2. Re-enable ActiveDirectory integration in Orchestrator web portal .