accomodating multiple domains in PWM

[dperrin]

In my environment user objects exist in parent and child domain controllers (e.g. company.com and remoteoffice.company.com).

 

I've read the documentation that PWM supports multiple directories for failover purposes. Is there support for multiple domain controllers that have a parent and child relationship?

 

I could potentially run a second PWM webapp to accomodate the distinct domains. Any suggestions would be most appreciated.

 

Thank you reading and thank you for an excellent and useful app!

[Jason Rivard]

A single instance of PWM can manage only a single ldap directory.  I guess in AD terms this means a single "domain".  Running multiple instances could work, but it sounds like you should probably have some sort of identity management project to consolidate your users into a single directory.

[Menno Pieters]

On Wed, Apr 18, 2012 at 10:55 PM, dperrin <dpe...@keene.edu> wrote:

In my environment user objects exist in parent and child domain controllers (e.g. company.com and remoteoffice.company.com).

 

I've read the documentation that PWM supports multiple directories for failover purposes. Is there support for multiple domain controllers that have a parent and child relationship?

 

I could potentially run a second PWM webapp to accomodate the distinct domains. Any suggestions would be most appreciated.

Sorry, I'm not an AD expert, but have seen it once in a while... By parent and child relationship, do you mean:

AD parent serves e.g. DC=com,DC=Example,OU=Users and AD child serves eg. DC=com,DC=example,DC=sub,OU=Users?

If I'm not mistaken, AD parent would send an LDAP referral to the client, if that would ask for objects below DC=com,DC=example,DC=sub. If that is the case, an LDAP client should be able to follow the referral and find the users. If you set your LDAP base dn to DC=com,DC=example, you should be able to work normally, as long as your user names are unique throughout the tree. If the latter is not the case, you could configure multiple search roots in PWM, one for DC=com,DC=Example,OU=Users and one for DC=com,DC=example,DC=sub,OU=Users.

Jason: does LdapChai handle referrals?

Regards,

Menno
 

 

Thank you reading and thank you for an excellent and useful app!

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/NHOdrP4--gYJ.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

[Jason Rivard]

On Thu, Apr 19, 2012 at 10:08 AM, Menno Pieters <menno....@gmail.com> wrote:

[snip]

Jason: does LdapChai handle referrals?

It just wraps JNDI, which supports referrals.  Not sure what JNDI options would require tweeking (if any) to make it work though.

My post about AD was perhaps a bit to brash, I'm no AD expert either.  If this sort of config can show up all users on a single ldap server thats all PWM cares about.  

A good test is to install something like Apache Directory Studio and point it at one of your AD servers, if it can see all your users, so will PWM.

[Perrin, David]

Thanks Menno and Jason, I’ll make time in the next few days to set this up and report back.

--

You received this message because you are subscribed to the Google Groups "pwm-general" group.

[sloe...@gmail.com]

On Thursday, April 19, 2012 10:04:47 AM UTC-5, dperrin wrote:
> Thanks Menno and Jason, I’ll make time in the next few days to set this up and report back.

Hello,

Did you ever get this to work? I am in the exact situation!

Thanks,

Stephen