<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I'm partly guessing. But you may be hitting a connector limitation
here. Or rather a common limitation of distributed directory
services. It is not really possible to make a search that spans both
root domain and the subdomains. In the case of AD it might be
theoretically possible to search through global catalog. But that is
not very practical as global catalog does not have all the data. We
would need to fetch each and every account from its authoritative
location anyway. This is inefficient and therefore it is not
implemented.<br>
<br>
We use a different approach. We define each domain as a separate
"intent" in midPoint. This is the easiest way how to handle the DN
suffixes of the domains. And then you can import each of of the
intents separately. If you correctly define base context for each
intent then the search should work. Connector will route it to the
correct domain controller based on that base context. This should be
perfectly feasible configuration as long as you have only a small
number of subdomains.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 02/20/2017 10:59 PM, Arnošt Starosta
- AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAGPA3F+kqBtuiXBDJpR-yCFft1jj6Ms5yv30KEwnkbLVBY3yHQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hello everybody,<br>
<br>
I'm trying and failing to connect midpoint to a multi-domain
active directory forrest for read/write operations using the
Ldap AD Connector.<br>
<br>
My account import task imports accounts from the parent/root
domain, but not from subdomains.<br>
<br>
My test setup has a parent domain and a single subdomain. As
recommended here - <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain">https://wiki.evolveum.com/display/midPoint/Active+Directory+Multi-Domain</a>
- <br>
i've setup the following configuration (simplified).<br>
<br>
<configurationProperties><br>
<host><a moz-do-not-send="true"
href="http://root.com">root.com</a></host><br>
...<br>
<baseContext>DC=root,DC=com</baseContext><br>
<referralStrategy>ignore</referralStrategy><br>
<div>
<div>
<globalCatalogStrategy>resolve</globalCatalogStrategy><br>
</div>
<div> <globalCatalogServers>host=<a
moz-do-not-send="true" href="http://root.com">root.com</a>;
port=3268</globalCatalogServers><br>
</div>
<div> <servers>host=<a moz-do-not-send="true"
href="http://sub.root.com">sub.root.com</a>;
baseContext=DC=sub,DC=root,DC=com</servers></div>
<div> </configurationProperties><br>
</div>
<br>
</div>
<div>Importing accounts from this resource results in <a
moz-do-not-send="true" href="http://root.com">root.com</a>
shadow objects only, no <a moz-do-not-send="true"
href="http://sub.root.com">sub.root.com</a>. The global
catalog is up to date and contains all objects in the forrest.</div>
<div><br>
</div>
<div>Should I "bootstrap" the shadows from the global catalog
and then switch to the above configuration manually? Or should
i just check the sources?</div>
<div><br>
</div>
<div>Thanks for any advice!</div>
<div><br>
</div>
<div>arnost<br>
<br>
--<br>
<br>
Arnošt Starosta<br>
solution architect<br>
<br>
gsm: [+420] 603 794 932<br>
e-mail: <a moz-do-not-send="true"
href="mailto:arnost.starosta@ami.cz">arnost.starosta@ami.cz</a><br>
<br>
<br>
<br>
AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a moz-do-not-send="true" href="http://www.ami.cz">www.ami.cz</a><br>
<br>
<br>
<br>
<br>
<br>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani
neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí
mít výhradně písemnou formu.<br>
<br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<table
style="font-family:verdana,arial,helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"><br>
</td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
solid gray"><br>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td colspan="7"
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray"><br>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td colspan="7"
style="color:rgb(128,128,128);font-family:arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray"><br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>