When you only have one controller in AWS here is what you can do to limit EasySSO to a single domain controller:
1) Make IOPLEX Jespa connect directly to that single controller i.e. switch off any failover functionality on this level. For that you need:
- Set the "domain" in the main EasySSO Configuration to the FQDN of that single Domain Controller
- Add the following Additional Parameter in EasySSO/NTLM/Advanced Configuration
jespa.authority.dns.names.resolve=false
2) Specify a local file with DNS information, to override DNS info either completely or just for SRV lookups
- Add the following Additional Parameter in EasySSO/NTLM/Advanced Configuration
jespa.dns.records.path=/var/atlassian/application-data/jira/dns.txt
- Create the file in that location, as described on page 7 of IOPLEX Jespa Operators Manual, also downloadable from EasySSO/NTLM configuration screen, 2nd tab after you've uploaded Jespa's .zip. Below is the excerpt from the manual, edit example.com to match your EasySSO context:
Jespa supports bypassing DNS queries using a DNS records file. This can be useful for restricting Jespa to a specific subset of domain controllers for firewalling purposes and debugging. An example of this file follows:
{code:java}
# Rotate through only dc1, dc2 and dc3
_ldap._tcp.dc._msdcs.example.com SRV 0 100 389 dc1.example.com
_ldap._tcp.dc._msdcs.example.com SRV 0 100 389 dc2.example.com
_ldap._tcp.dc._msdcs.example.com SRV 0 100 389 dc3.example.com {code}
If the above DNS records file is supplied with the jespa.dns.records.path property, DNS SRV lookups for the name *_ldap._tcp.dc._msdcs.example.com* will be bypassed and the data supplied in the file will be used instead.Note: All records in the DNS Records File must contain valid data from MS DNS. For example, the hostname in an SRV record must be the actual hostname of that server.
The format of each record is always name, type and then data that depends on the record type separated by one or more space (' ') characters. Currently only SRV and A record types are supported.
Note: Tabs are not supported. All fields must be separated by only spaces.
The data for SRV records is priority, weight, port and target. The data for A records is simply the dot-quad IP address of the host. This is the same format as DNS zone transfer files.
Note: If the DNS records file is modified, it will automatically be reloaded within 5 seconds.
As illustrated by the example above, multiple records can have the same name. In this case, the Jespa DNS logic will rotate through the records each time the name is queried.
If you have only one domain controller - you should probably have a single SRV line. We wouldn't recommend it, but if you want to remove DNS out of the picture completely - add another A line, pointing to the specific IP.