[midPoint] Connecting multi-domain active directory forrest - intents help a little
Ivan Noris
ivan.noris at evolveum.com
Wed Feb 22 16:45:18 CET 2017
Hi Arnost,
are you using conditions in objectSynchronization, so that midpoint
knows which intent it should set for shadows?
Ivan
On 02/22/2017 04:34 PM, Arnošt Starosta - AMI Praha a.s. wrote:
> Hi Radovan,
>
> thanks for your reply! Configuring each domain with a different intent
> really helps, reconciliation tasks with the different intents indeed
> load the account data from the different domains, the corresponding
> shadow objects are created.
>
> But when that subdomain data/shadows are processed further in the
> subdomain intent task the objectSynchronization configurations for
> different intents seem to collide and no accounts for subdomains are
> created. The subdomain shadow objects are reported on the progress tab
> as "(ACCOUNT - default - user)" instead of "(ACCOUNT - subdomain -
> user)".
>
> It seems only the first objectSynchronization element is considered
> and renders the object "not applicable".
>
> Deleting the default objectSynchronization and leaving only the
> subdomain intent one helps, the accounts are created and linked. But
> of course only for that single subdomain.
>
> Configuring two subdomains leads to a similar result - when
> configuring two objectSynchronizations 'subdomain1' and 'subdomain2'
> and not including the default one, all objects from subdomain2 are
> again reported as "(ACCOUNT - subdomain1 - user)" and no accounts get
> created.
>
> Is that a bug or is my 'objectSynchronization per intent' wrong?
>
> Btw trying to 'import' the accounts from subdomains doesn't even try
> to fetch the data. I always have to 'reconcile'. Don't know if that
> indicates something or not.
>
> Thanks again!
>
> arnost
>
> Wed, 22 Feb 2017 11:16:56 +0100 Radovan Semancik
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>>:
> >
> > Hi,
> >
> > I'm partly guessing. But you may be hitting a connector limitation here.
> > Or rather a common limitation of distributed directory services. It is
> > not really possible to make a search that spans both root domain and the
> > subdomains. In the case of AD it might be theoretically possible to
> > search through global catalog. But that is not very practical as global
> > catalog does not have all the data. We would need to fetch each and
> > every account from its authoritative location anyway. This is
> > inefficient and therefore it is not implemented.
> >
> > We use a different approach. We define each domain as a separate
> > "intent" in midPoint. This is the easiest way how to handle the DN
> > suffixes of the domains. And then you can import each of of the intents
> > separately. If you correctly define base context for each intent then
> > the search should work. Connector will route it to the correct domain
> > controller based on that base context. This should be perfectly feasible
> > configuration as long as you have only a small number of subdomains.
> >
> > --
> > Radovan Semancik
> > Software Architect
> > evolveum.com <http://evolveum.com>
> >
> > 2017-02-20 22:59 GMT+01:00 Arnošt Starosta - AMI Praha a.s.
> <arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>>:
> > >
> > > Hello everybody,
> > >
> > > I'm trying and failing to connect midpoint to a multi-domain
> active directory forrest for read/write operations using the Ldap AD
> Connector.
> > >
> > > My account import task imports accounts from the parent/root
> domain, but not from subdomains.
> > >
> > > My test setup has a parent domain and a single subdomain. As
> recommended here -
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain -
> > > i've setup the following configuration (simplified).
> > >
> > > <configurationProperties>
> > > <host>root.com <http://root.com></host>
> > > ...
> > > <baseContext>DC=root,DC=com</baseContext>
> > > <referralStrategy>ignore</referralStrategy>
> > > <globalCatalogStrategy>resolve</globalCatalogStrategy>
> > > <globalCatalogServers>host=root.com <http://root.com>;
> port=3268</globalCatalogServers>
> > > <servers>host=sub.root.com <http://sub.root.com>;
> baseContext=DC=sub,DC=root,DC=com</servers>
> > > </configurationProperties>
> > >
> > > Importing accounts from this resource results in root.com
> <http://root.com> shadow objects only, no sub.root.com
> <http://sub.root.com>. The global catalog is up to date and contains
> all objects in the forrest.
> > >
> > > Should I "bootstrap" the shadows from the global catalog and then
> switch to the above configuration manually? Or should i just check the
> sources?
> > >
> > > Thanks for any advice!
> > >
> > > arnost
> > >
> > > --
> > >
> > > Arnošt Starosta
> > > solution architect
> > >
> > > gsm: [+420] 603 794 932
> > > e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
> > >
> > >
> > >
> > > AMI Praha a.s.
> > > Pláničkova 11
> > > 162 00 Praha 6
> > > tel.: [+420] 274 783 239
> > > web: www.ami.cz <http://www.ami.cz>
> > >
> > >
> > >
> > >
> > >
> > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> > > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > Arnošt Starosta
> > solution architect
> >
> > gsm: [+420] 603 794 932
> > e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
> >
> >
> >
> > AMI Praha a.s.
> > Pláničkova 11
> > 162 00 Praha 6
> > tel.: [+420] 274 783 239
> > web: www.ami.cz <http://www.ami.cz>
> >
> >
> >
> >
> >
> > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
>
> --
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
>
>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170222/b847c4b0/attachment.htm>
More information about the midPoint
mailing list