[midPoint] Connecting multi-domain active directory forrest

Radovan Semancik radovan.semancik at evolveum.com
Wed Feb 22 11:16:56 CET 2017 

Hi,

I'm partly guessing. But you may be hitting a connector limitation here. 
Or rather a common limitation of distributed directory services. It is 
not really possible to make a search that spans both root domain and the 
subdomains. In the case of AD it might be theoretically possible to 
search through global catalog. But that is not very practical as global 
catalog does not have all the data. We would need to fetch each and 
every account from its authoritative location anyway. This is 
inefficient and therefore it is not implemented.

We use a different approach. We define each domain as a separate 
"intent" in midPoint. This is the easiest way how to handle the DN 
suffixes of the domains. And then you can import each of of the intents 
separately. If you correctly define base context for each intent then 
the search should work. Connector will route it to the correct domain 
controller based on that base context. This should be perfectly feasible 
configuration as long as you have only a small number of subdomains.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 02/20/2017 10:59 PM, Arnošt Starosta - AMI Praha a.s. wrote:
> Hello everybody,
>
> I'm trying and failing to connect midpoint to a multi-domain active 
> directory forrest for read/write operations using the Ldap AD Connector.
>
> My account import task imports accounts from the parent/root domain, 
> but not from subdomains.
>
> My test setup has a parent domain and a single subdomain. As 
> recommended here - 
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain 
> -
> i've setup the following configuration (simplified).
>
>          <configurationProperties>
>             <host>root.com <http://root.com></host>
>             ...
> <baseContext>DC=root,DC=com</baseContext>
> <referralStrategy>ignore</referralStrategy>
> <globalCatalogStrategy>resolve</globalCatalogStrategy>
>             <globalCatalogServers>host=root.com <http://root.com>; 
> port=3268</globalCatalogServers>
>             <servers>host=sub.root.com <http://sub.root.com>; 
> baseContext=DC=sub,DC=root,DC=com</servers>
>          </configurationProperties>
>
> Importing accounts from this resource results in root.com 
> <http://root.com> shadow objects only, no sub.root.com 
> <http://sub.root.com>. The global catalog is up to date and contains 
> all objects in the forrest.
>
> Should I "bootstrap" the shadows from the global catalog and then 
> switch to the above configuration manually? Or should i just check the 
> sources?
>
> Thanks for any advice!
>
> arnost
>
> --
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
>
>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
>
> 	
> 	
> 	
> 	
> 	
> 	
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170222/ce3f0819/attachment.htm>

More information about the midPoint mailing list