[midPoint] Connecting multi-domain active directory forrest - intents help a little

Arnošt Starosta - AMI Praha a.s. arnost.starosta at ami.cz
Wed Feb 22 16:34:47 CET 2017


Hi Radovan,

thanks for your reply! Configuring each domain with a different intent
really helps, reconciliation tasks with the different intents indeed load
the account data from the different domains, the corresponding shadow
objects are created.

But when that subdomain data/shadows are processed further in the subdomain
intent task the objectSynchronization configurations for different intents
seem to collide and no accounts for subdomains are created. The subdomain
shadow objects are reported on the progress tab as "(ACCOUNT - default -
user)" instead of "(ACCOUNT - subdomain - user)".

It seems only the first objectSynchronization element is considered and
renders the object "not applicable".

Deleting the default objectSynchronization and leaving only the subdomain
intent one helps, the accounts are created and linked. But of course only
for that single subdomain.

Configuring two subdomains leads to a similar result - when configuring two
objectSynchronizations 'subdomain1' and 'subdomain2' and not including the
default one, all objects from subdomain2 are again reported as "(ACCOUNT -
subdomain1 - user)" and no accounts get created.

Is that a bug or is my 'objectSynchronization per intent' wrong?

Btw trying to 'import' the accounts from subdomains doesn't even try to
fetch the data. I always have to 'reconcile'. Don't know if that indicates
something or not.

Thanks again!

arnost

Wed, 22 Feb 2017 11:16:56 +0100 Radovan Semancik <
radovan.semancik at evolveum.com>:
>
> Hi,
>
> I'm partly guessing. But you may be hitting a connector limitation here.
> Or rather a common limitation of distributed directory services. It is
> not really possible to make a search that spans both root domain and the
> subdomains. In the case of AD it might be theoretically possible to
> search through global catalog. But that is not very practical as global
> catalog does not have all the data. We would need to fetch each and
> every account from its authoritative location anyway. This is
> inefficient and therefore it is not implemented.
>
> We use a different approach. We define each domain as a separate
> "intent" in midPoint. This is the easiest way how to handle the DN
> suffixes of the domains. And then you can import each of of the intents
> separately. If you correctly define base context for each intent then
> the search should work. Connector will route it to the correct domain
> controller based on that base context. This should be perfectly feasible
> configuration as long as you have only a small number of subdomains.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
> 2017-02-20 22:59 GMT+01:00 Arnošt Starosta - AMI Praha a.s. <
arnost.starosta at ami.cz>:
> >
> > Hello everybody,
> >
> > I'm trying and failing to connect midpoint to a multi-domain active
directory forrest for read/write operations using the Ldap AD Connector.
> >
> > My account import task imports accounts from the parent/root domain,
but not from subdomains.
> >
> > My test setup has a parent domain and a single subdomain. As
recommended here -
https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain -
> > i've setup the following configuration (simplified).
> >
> >          <configurationProperties>
> >             <host>root.com</host>
> >             ...
> >             <baseContext>DC=root,DC=com</baseContext>
> >             <referralStrategy>ignore</referralStrategy>
> >             <globalCatalogStrategy>resolve</globalCatalogStrategy>
> >             <globalCatalogServers>host=root.com;
port=3268</globalCatalogServers>
> >             <servers>host=sub.root.com;
baseContext=DC=sub,DC=root,DC=com</servers>
> >          </configurationProperties>
> >
> > Importing accounts from this resource results in root.com shadow
objects only, no sub.root.com. The global catalog is up to date and
contains all objects in the forrest.
> >
> > Should I "bootstrap" the shadows from the global catalog and then
switch to the above configuration manually? Or should i just check the
sources?
> >
> > Thanks for any advice!
> >
> > arnost
> >
> > --
> >
> > Arnošt Starosta
> > solution architect
> >
> > gsm: [+420] 603 794 932
> > e-mail: arnost.starosta at ami.cz
> >
> >
> >
> > AMI Praha a.s.
> > Pláničkova 11
> > 162 00 Praha 6
> > tel.: [+420] 274 783 239
> > web: www.ami.cz
> >
> >
> >
> >
> >
> > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
> > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
výhradně písemnou formu.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.




--

Arnošt Starosta
solution architect

gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz



AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz





Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170222/51877b2c/attachment.htm>


More information about the midPoint mailing list