<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Arnost,</p>
<p>are you using conditions in objectSynchronization, so that
midpoint knows which intent it should set for shadows?</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 02/22/2017 04:34 PM, Arnošt Starosta
- AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAGPA3FLJpmOE2BNaYNfJi+kUseUEwKMFUShE8Ryomg9ccjYQ3w@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Radovan,<br>
<br>
thanks for your reply! Configuring each domain with a different
intent really helps, reconciliation tasks with the different
intents indeed load the account data from the different domains,
the corresponding shadow objects are created.<br>
<br>
But when that subdomain data/shadows are processed further in
the subdomain intent task the objectSynchronization
configurations for different intents seem to collide and no
accounts for subdomains are created. The subdomain shadow
objects are reported on the progress tab as "(ACCOUNT - default
- user)" instead of "(ACCOUNT - subdomain - user)".
<div><br>
</div>
<div>It seems only the first objectSynchronization element is
considered and renders the object "not applicable".</div>
<div><br>
</div>
<div>Deleting the default objectSynchronization and leaving only
the subdomain intent one helps, the accounts are created and
linked. But of course only for that single subdomain.<br>
<br>
Configuring two subdomains leads to a similar result - when
configuring two objectSynchronizations 'subdomain1' and
'subdomain2' and not including the default one, all objects
from subdomain2 are again reported as "(ACCOUNT - subdomain1 -
user)" and no accounts get created.<br>
<br>
Is that a bug or is my 'objectSynchronization per intent'
wrong?</div>
<div><br>
</div>
<div>Btw trying to 'import' the accounts from subdomains doesn't
even try to fetch the data. I always have to 'reconcile'.
Don't know if that indicates something or not.<br>
<br>
Thanks again!</div>
<div><br>
</div>
<div>arnost<br>
<br>
Wed, 22 Feb 2017 11:16:56 +0100 Radovan Semancik <<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>>:<br>
><br>
> Hi,<br>
><br>
> I'm partly guessing. But you may be hitting a connector
limitation here.<br>
> Or rather a common limitation of distributed directory
services. It is<br>
> not really possible to make a search that spans both root
domain and the<br>
> subdomains. In the case of AD it might be theoretically
possible to<br>
> search through global catalog. But that is not very
practical as global<br>
> catalog does not have all the data. We would need to
fetch each and<br>
> every account from its authoritative location anyway.
This is<br>
> inefficient and therefore it is not implemented.<br>
><br>
> We use a different approach. We define each domain as a
separate<br>
> "intent" in midPoint. This is the easiest way how to
handle the DN<br>
> suffixes of the domains. And then you can import each of
of the intents<br>
> separately. If you correctly define base context for each
intent then<br>
> the search should work. Connector will route it to the
correct domain<br>
> controller based on that base context. This should be
perfectly feasible<br>
> configuration as long as you have only a small number of
subdomains.<br>
><br>
> --<br>
> Radovan Semancik<br>
> Software Architect<br>
> <a moz-do-not-send="true" href="http://evolveum.com">evolveum.com</a><br>
><br>
> 2017-02-20 22:59 GMT+01:00 Arnošt Starosta - AMI Praha
a.s. <<a moz-do-not-send="true"
href="mailto:arnost.starosta@ami.cz">arnost.starosta@ami.cz</a>>:<br>
> ><br>
> > Hello everybody,<br>
> ><br>
> > I'm trying and failing to connect midpoint to a
multi-domain active directory forrest for read/write
operations using the Ldap AD Connector.<br>
> ><br>
> > My account import task imports accounts from the
parent/root domain, but not from subdomains.<br>
> ><br>
> > My test setup has a parent domain and a single
subdomain. As recommended here - <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain">https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain</a>
-<br>
> > i've setup the following configuration (simplified).<br>
> ><br>
> > <configurationProperties><br>
> > <host><a moz-do-not-send="true"
href="http://root.com">root.com</a></host><br>
> > ...<br>
> >
<baseContext>DC=root,DC=com</baseContext><br>
> >
<referralStrategy>ignore</referralStrategy><br>
> >
<globalCatalogStrategy>resolve</globalCatalogStrategy><br>
> > <globalCatalogServers>host=<a
moz-do-not-send="true" href="http://root.com">root.com</a>;
port=3268</globalCatalogServers><br>
> > <servers>host=<a
moz-do-not-send="true" href="http://sub.root.com">sub.root.com</a>;
baseContext=DC=sub,DC=root,DC=com</servers><br>
> > </configurationProperties><br>
> ><br>
> > Importing accounts from this resource results in <a
moz-do-not-send="true" href="http://root.com">root.com</a>
shadow objects only, no <a moz-do-not-send="true"
href="http://sub.root.com">sub.root.com</a>. The global
catalog is up to date and contains all objects in the forrest.<br>
> ><br>
> > Should I "bootstrap" the shadows from the global
catalog and then switch to the above configuration manually?
Or should i just check the sources?<br>
> ><br>
> > Thanks for any advice!<br>
> ><br>
> > arnost<br>
> ><br>
> > --<br>
> ><br>
> > Arnošt Starosta<br>
> > solution architect<br>
> ><br>
> > gsm: [+420] 603 794 932<br>
> > e-mail: <a moz-do-not-send="true"
href="mailto:arnost.starosta@ami.cz">arnost.starosta@ami.cz</a><br>
> ><br>
> > <br>
> ><br>
> > AMI Praha a.s.<br>
> > Pláničkova 11<br>
> > 162 00 Praha 6<br>
> > tel.: [+420] 274 783 239<br>
> > web: <a moz-do-not-send="true"
href="http://www.ami.cz">www.ami.cz</a><br>
> ><br>
> > <br>
> ><br>
> ><br>
> ><br>
> > Textem tohoto e-mailu podepisující neslibuje uzavřít
ani neuzavírá za společnost AMI Praha a.s.<br>
> > jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
><br>
> --<br>
><br>
> Arnošt Starosta<br>
> solution architect<br>
><br>
> gsm: [+420] 603 794 932<br>
> e-mail: <a moz-do-not-send="true"
href="mailto:arnost.starosta@ami.cz">arnost.starosta@ami.cz</a><br>
><br>
> <br>
><br>
> AMI Praha a.s.<br>
> Pláničkova 11<br>
> 162 00 Praha 6<br>
> tel.: [+420] 274 783 239<br>
> web: <a moz-do-not-send="true" href="http://www.ami.cz">www.ami.cz</a><br>
><br>
> <br>
><br>
><br>
><br>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani
neuzavírá za společnost AMI Praha a.s.<br>
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena,
musí mít výhradně písemnou formu.<br>
<br>
<br>
<br>
<br>
--<br>
<br>
Arnošt Starosta<br>
solution architect<br>
<br>
gsm: [+420] 603 794 932<br>
e-mail: <a moz-do-not-send="true"
href="mailto:arnost.starosta@ami.cz">arnost.starosta@ami.cz</a><br>
<br>
<br>
<br>
AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a moz-do-not-send="true" href="http://www.ami.cz">www.ami.cz</a><br>
<br>
<br>
<br>
<br>
<br>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani
neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí
mít výhradně písemnou formu.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>