[midPoint] Connecting multi-domain active directory forrest - intents help a little
Arnošt Starosta - AMI Praha a.s.
arnost.starosta at ami.cz
Thu Feb 23 14:29:10 CET 2017
Hi Ivan and Radovan,
yes! Conditional synchronization was the missing piece and now I have a
working solution. Thanks a lot!
To sum it up - have an active directory forrest with multiple domains
connected to midpoint 3.5 for read and update operations.
What worked for me in the end was basically to follow the documentation in
https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain
with an extra detail
1) in connectorConfiguration specify the root domain as 'host' and every
subdomain as one 'servers' element with the corresponding baseContexts
2) set referralStrategy to ignore and specify the globalCatalogServers and
set globalCatalogStrategy to resolve (don't know if the global catalog is
necessary in the end or not)
3) define an objectType for every ad domain with a unique intent plus a
default one. Every objectType has the same baseContext/filter as the
corresponding 'servers' element in connectorConfiguration
4) define an objectSynchronization for every domain with the corresponding
intent plus a default one. Every synchronization has again the same
dn/baseContext test as the domain servers/baseContext. Something like
"basic.getSecondaryIdentifierValue(shadow) ==~
~/(?i)^.*dc=subdomain,dc=root,dc=com$/" ( as found in midpoint/samples ).
I didn't find a way to work with the resource as a whole so far, each task
has an intent and affects just a single subdomain. To connect all 17
subdomains i have i will probably try a xslt preprocessor to generate the
resource xml and the tasks.
> N.B.: The split of configuration to schemaHandling and synchronization
> was one the historical mistakes in the midPoint configuration design.
> The plan is to fix this and similar issues in midPoint 4 ... whenever
that
> may be.
Great! It is a bit odd to specify/control something so tightly related on
several 'independent' places. Gave me so much freedom i got lost.
> > In the case of AD it might be theoretically possible to
> > search through global catalog. But that is not very practical as global
> > catalog does not have all the data. We would need to fetch each and
> > every account from its authoritative location anyway. This is
> > inefficient and therefore it is not implemented.
I didn't know what AD is a week ago but ... learning a tiny bit so far i
understand this is the intended global catalog design. First search this gc
( like in an index, only some attributes are indexed ) and second work with
the real 'entity' on the domain node. So a single global import of
everything in the gc under one baseContext in this two step automated
process would make sense, at least in my case.
Thanks again for the great help!
arnost
2017-02-23 11:58 GMT+01:00 Radovan Semancik <radovan.semancik at evolveum.com>:
>
> Hi,
>
> On 02/22/2017 04:34 PM, Arnošt Starosta - AMI Praha a.s. wrote:
>>
>> But when that subdomain data/shadows are processed further in the
subdomain intent task the objectSynchronization configurations for
different intents seem to collide and no accounts for subdomains are
created. The subdomain shadow objects are reported on the progress tab as
"(ACCOUNT - default - user)" instead of "(ACCOUNT - subdomain - user)".
>>
>> It seems only the first objectSynchronization element is considered and
renders the object "not applicable".
>
>
> Please make sure that you have set kind/intent also in the
synchronization section. And that you have correct conditions in the
synchronization section. The conditions may be needed to sort the imported
accounts to the "intents". As the multi-domain is seen as one resource,
midPoint has no practical way how to sort the accounts to intents
automatically. At least not now.
>
> It is described here:
https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>
> N.B.: The split of configuration to schemaHandling and synchronization
was one the historical mistakes in the midPoint configuration design. It
does not make much sense now. I have already regretted that design choice
several times. But it is there almost from the begining, long before we had
intents. This is the cost of evolution. And now we strongly prefer
compatibility and upgradeability, so there is no easy way to fix that. The
plan is to fix this and similar issues in midPoint 4 ... whenever that may
be.
>
>> Is that a bug or is my 'objectSynchronization per intent' wrong?
>
>
> I would guess that it is configuration issue. You probably need to add
the conditions to synchronization sections. It is unlikely that this is a
bug as this is a tested setup. But of course, I cannot completely rule out
the possibility that there is a bug.
>
>> Btw trying to 'import' the accounts from subdomains doesn't even try to
fetch the data. I always have to 'reconcile'. Don't know if that indicates
something or not.
>
>
> This one is quite strange. Import and reconcile are almost the same in
this aspect. Both are based on account search. But again, I would guess
that this suggest either wrong configuration or a very strange bug.
>
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
--
Arnošt Starosta
solution architect
gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170223/55b53239/attachment.htm>
More information about the midPoint
mailing list