Hi folks,
I'm currently facing a nice challenge: synchronize universal groups in
one domain which has users belonging to another domain.

I guess this is a pretty common scenario, but I couldn't figure out how
to deal with it. I've already checked official documentation and the
forums too, but the only thing that I came up was to configure global
groups in each domain, add the local users to those global groups, and
finally add the global groups to the universal groups in the other
domain. This is a nice approach, but I would like to find an alternative
through AD driver.

My current configuration follows:
- IDM 4.0.1 advanced.
- 2 AD drivers configured, one for each domain, version 3.5.14.

As far as for global groups, AD drivers are working fine: they
synchronize members correctly. When it comes to universal users, I've
found that the driver removes every member that is not associated with
the current driver.

Here follows an example. I've added a user 'Cero Tres Test' to the group
'CALIFPT0'. The group happens to be on 'DC=caba,DC=bp,DC=test' domain,
but the user belongs to 'DC=bsas,DC=bp,DC=test' domain. The driver that
catches the event is the one that is connected to
'DC=caba,DC=bp,DC=test' domain. You can see in the log how the schema
mapping policy removes every member that is not associated to the
current driver.

[03/08/2013 10:20:15.158] AD-CABA PT:
<nds dtdversion="2.2">
<product version="">DirXML</product>
<contact>Novell, Inc.</contact>
<modify class-name="group" event-id="0"
src-dn="CN=CALIFPT0,OU=Intranet,DC=caba,DC=bp,DC=test" >
<modify-attr attr-name="member">
<value association-ref="3c26122a73530343af62369a0af5ebcc"
naming="false" type="dn">CN=Mariano
Cameroni,OU=Usuarios,OU=6010,DC=caba,DC=bp,DC=test </value>
<value association-ref="ba00c8c9ef442e43bf56d4f234906ff1"
naming="false" type="dn">CN=Cero Tres
Test,OU=Usuarios,OU=5012,OU=Sucursales,OU=5073,DC= bsas,DC=bp,DC=test</value>
[03/08/2013 10:20:15.160] AD-CABA PT:Applying schema mapping policies to
[03/08/2013 10:20:15.161] AD-CABA PT:Applying policy: NOVLADDCFG-smp.
[03/08/2013 10:20:15.161] AD-CABA PT: Mapping class-name 'group' to
[03/08/2013 10:20:15.161] AD-CABA PT: Mapping attr-name 'member' to
[03/08/2013 10:20:15.162] AD-CABA PT:Resolving association references.
[03/08/2013 10:20:15.165] AD-CABA PT:
DirXML Log Event -------------------
Driver: \BPBA_TREE\bpba\services\DriverSet\AD CABA
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=Cero
Test,OU=Usuarios,OU=5012,OU=Sucursales,OU=5073,DC= bsas,DC=bp,DC=test
from attribute Member.
[03/08/2013 10:20:15.181] AD-CABA PT:Applying event transformation
[03/08/2013 10:20:15.181] AD-CABA PT:Applying policy:
[03/08/2013 10:20:15.182] AD-CABA PT: Applying to modify #1.
[03/08/2013 10:20:15.183] AD-CABA PT: Evaluating selection criteria
for rule 'Disallow user account delete when using entitlements'.
[03/08/2013 10:20:15.183] AD-CABA PT: (if-operation equal "delete")
[03/08/2013 10:20:15.183] AD-CABA PT: Rule rejected.
[03/08/2013 10:20:15.184] AD-CABA PT: Evaluating selection criteria
for rule 'Strip Login Disabled from operation (Disable Option)'.
[03/08/2013 10:20:15.185] AD-CABA PT: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = FALSE.
[03/08/2013 10:20:15.185] AD-CABA PT: Rule rejected.
[03/08/2013 10:20:15.185] AD-CABA PT:Policy returned:
[03/08/2013 10:20:15.185] AD-CABA PT:
<nds dtdversion="2.2">
<product version="">DirXML</product>
<contact>Novell, Inc.</contact>
<modify class-name="Group" event-id="0"
src-dn="CN=CALIFPT0,OU=Intranet,DC=caba,DC=bp,DC=test" >
<modify-attr attr-name="Member">
<value naming="false"
type="dn">\BPBA_TREE\bpba\users\caba\6010\Usuarios \P021833</value>

I've tryed to fool the driver's associations by manually adding a new
value to the DirXML-Associations attribute in the user object back on
eDir, which seems the natural way the driver would recognize the member
as an already associated object. That would be the simplest workaround,
but we can have a second user object created in the same domain as the
universal group, and the driver won't cope with it as it is already
associated. For example, the user 'Cero Tres Test' would be already
present in domain 'DC=bsas,DC=bp,DC=test' and associated to its
corresponding driver, but the AD Administrator might want to 'move' this
user to the 'DC=caba,DC=bp,DC=test' domain by first creating a new user
in the second domain, and then disabling the original user. Of course,
when the new user is created, the second AD driver (for
'DC=caba,DC=bp,DC=test' domain) would try to match the new user with the
existing (and tweaked) user, and shout an 'object already associated'

I've already inspected Geoffrey Carman's 'Managing multiple Active
Directory domains in one IDM system' articles, but I don't get to the
point where his configuration takes care of managing universal groups
and members from others domains.

I dropped the first stone, hope you people can enlighten me.

Thanks in advance.

egmarin's Profile: https://forums.netiq.com/member.php?userid=3653
View this thread: https://forums.netiq.com/showthread.php?t=47042