Change LDAP operator account domain

amelgares 2023-05-22 21:05:26 UTC #1

We’re wrapping up a long-term migration of our org from one Active Directory domain to a new Active Directory domain. Our BigFix server was migrated a few years ago, but we still have some operator accounts using LDAP on our old domain.

I know I can create new operator accounts on the new domain, but we’d like to keep issued actions and custom content associated with these operator accounts.

Is there any way to point the existing operator accounts to a different domain? I can’t find anything about this in the docs or online.

JasonWalker 2023-05-22 22:03:24 UTC #2

How many operators are you considering? Is clicking through the interface an option or do you need a way to do it in bulk?

…off to try it

amelgares 2023-05-22 22:23:28 UTC #3

I only need to migrate less than 10 operators, so a manual interface process is fine.
Right clicking on an operator account in the console shows an option to “Convert to LDAP Operator…” which might allow switching the LDAP account from one AD domain to another, but I’m looking for a method to test this without affecting a real operator account.

JasonWalker 2023-05-22 22:31:44 UTC #4

Ok, great.
I find this non-intuitive, but if you right-click the operator in the Console you can use the “Convert to LDAP Operator” option. I realize, it’s already an LDAP operator, and this function was intended to convert from a local operator to an LDAP operator, but you can also switch from one LDAP user to a different LDAP user.

( I only have one Domain for my test. You should probably create a new operator to test this migration in your two-domain scenario).

The ‘Convert to LDAP Operator’ dialog will pre-fill their existing account name for the search. You’ll need to remove part or all of their name to search for users in the right directory and hit the ‘Search’ button to refresh the user list.

It should be as simple as selecting the new account name and hitting the ‘Convert’ button.

The potential ‘gotcha’ is if you’re using LDAP Groups to assign BigFix Roles, you’ll need to ensure the new account is also in groups that are assigned to Roles in the server. My first try at this test worked, but my new test user was no longer allowed to log on because it was not in the LDAP groups that assigned my roles.

amelgares 2023-05-22 23:03:20 UTC #5

Well, it looks like this works perfectly! I agree it’s not intuitive - I didn’t think “Convert to LDAP Operator…” would apply in my case but it does! Thanks!