Hello Team,
When adding multiple Active Directories into the System Center > System Settings > LDAP , the DataMiner help mentions:
- In case DataMiner is required to directly access multiple domain controllers, you will need to change your DataMiner System configuration via System Center > System settings > LDAP, and provide the system with the correct LDAP (AD) information for each LDAP (AD) connection.
More detailed info on this can also be found in the DataMiner help pages available on any DataMiner Agent under the section Advanced security configuration > Configuring LDAP settings.
https://docs.dataminer.services/user-guide/Advanced_Functionality/Security/Advanced_security_configuration/Configuring_LDAP_settings.html
I was wondering if there was an example for how this should look for the following: three separate domains in the same forest (we’ll call them XXX, YYY and ZZZ).
I just tested LDAP with a group as they are in the YYY domain.
I added the security group as a local group with the domain attached. Added admin permissions and access to all views. Tested logging in with two separate users that were both part of the security group and neither could log in.
I tested removing the ZZZ portion from the naming context just for fun, currently set as DC='111',DC='222', and it took about 15 minutes to pull up a list of security groups.
When adding an existing group is selected no groups pop up so I am assuming the current configuration is not working.
Thanks in advance!
Dear Dojo community,
we have a setup of two domains with individual forests. There is a trust relationship between the two forests. We are able to connect DataMiner to both domains individually and import users and groups as required. The target is to use only a connection to domain B and be able to import and authenticate users and groups from domain A.
In domain B there are nested groups configured, that include groups and users from both forests.
- When we import a nested group from domain B, that includes users from domain B only we see all of them in the users in DataMiner.
- When we import a nested group from domain B, that includes users from domain B and users from domain A we see only the users of domain B in the users in DataMiner. Users from domain A are not resolved and thus cannot login to the DMS.
On the DMA on Windows Server level both groups and the users included are available and can be used for logon and permission management. Here we also see, that domain B users are of type "User" and domain A users are of type "ForeignSecurityPrincipal" with a UID (-> referrals to domain A). DataMiner seem to behave differently. Does DataMiner recognize "ForeignSecurityPrincipals" as users and resolve them via referrals by default?
We already played around with the "referral=true/false" and different LDAP queries, that include foreign security principals as well, and tested the configuration as per the last comment in this thread, but did never reach state, where users from domain A became available through domain B.
Can you help with this or at least clarify if such a target shoudl be possible to reach with DM?
Hi Wouter.
Many thanks for your furtehr feedback. We have implemented a workaroudn now, where AD ressources are defined in domain A and AD roles with the user accounts in domain B. We imported the AD roles as DataMiner user groups now. This provides the intended funcionality.
Hi André,
Just wanted to note that the original question and answers are about multiple domains in the same forest.
Looks like you are talking about 2 different forests.
I’m not sure if this is supported.