Highlighted
Absent Member.. Pooja_Madan Absent Member..
Absent Member..
306 views

(SM) Support Tip : SM Integration with Active Directory multiple forests & domains

 

SM-AD solution approach: LDAP proxies act as the single entry point SC/SM needs and it doesn’t matter if that’s an open source or a commercial proxy like AD LDS.

 

In a multi domain/forest on the basis of Microsoft AD there is an additional solution http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(WS.10).aspx

 

2 way Trust relationship between the current forest or domain (CROWN) and each target forest or domain, have the user name and password for an account with access to each target forest or domain.

 

LDAP uses a tree structure to search sub-trees or sub-nodes. That is, say you have a root dir of A, there are two children of A called B and C, B and C each have two children (D & E under B and F & G under C). If you set the LDAP base directory to point at B, you may only search on sub-nodes below it (B, D, and E). You will not be searching the C (and F & G children) in your queries. To search B and C (and all children) you have to set the base directory to the most common parent directory above all sub-nodes to be searched.

 

You can specify one directory and it searches all sub-nodes. This is what I meant by "one base directory" and not being able to search "different base directories".

 

If you would like to connect and use multiple LDAP sources with different bind requirements, please take a look on the following article:  http://support.openview.hp.com/selfsolve/document/KM184786

 

Set up Global catalog server to query the LDAP server at the root (domain) level and access child domains, use the Global Catalog port of 3268 instead of the domain port of 389 which will allow the query from that LDAP server root level and down.

 

Next action item: To configure TCP port 3268 so that SM sends the queries to Global Catalog instead of LDAP referral.

 

 To configure, please go to System Navigator -> System Administration -> Ongoing Maintenance -> System -> LDAP Mapping -> Search for operator -> Change the LDAP Port to 3269 as indicated below in screenshots.

 

 

 

 

 

 

How do we direct the query to the global catalog?  Rather than relying on the default connection port of 389 simply send the query to TCP port 3268 (or 3269 if SSL encrypted) explicitly in your connection.  Here's a MSDN link which goes over this in detail.   

http://technet.microsoft.com/en-us/Message-Error.htm?aspxerrorpath=/en-us/library/how-global-catalog-servers-work(WS.10).aspxhttp:/technet.microsoft.com/en-us/library/how-global-catalog-servers-work(WS.10).aspx

Labels (1)
1 Reply
Super Contributor.. Amr_Salah Super Contributor..
Super Contributor..

Re: (SM) Support Tip : SM Integration with Active Directory multiple forests & d

Hello , 

thanks for the greate infromation , 

the link https://support.openview.hp.com/selfsolve/document/KM184786 is not working  , is there any update or other source 

thank you 

Thanks and Best Regards
------------------------------
Amr Salah
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.