Importing LDAP groups containing objects from different domains in the forest
Article ID: 130363
Updated On:
Products
Issue/Introduction
In a complex organization, whose directory structure consists of several child domains in a forest, it may be necessary to manage user or device groups from this structure in PAM.
At times it may also be advisable to have the users log in into PAM using the root domain instead of having to specify for each case its subdomain. To easily achieve this, customer may have created a group in the root of the forest containing users from different domains.
According to the documentation :
How to Configure Active Directory for User Authentication
this is possible, but following these recommendations, there are situations where this does not work. Browsing in LDAP browser is possible, and group membership is visible, but importing throws out an error
LDAP member CN=<User Name>,OU=Computers,OU=YY, OU=ZZ, DC=<Subdomain>, DC=example, DC=com not found in domain.
even if user is present in a group on example.com
How can I make sure I can import PAM groups containing users from different domains in the forest are successfully imported ?
Environment
CA PAM all versions
Resolution
You need to make sure that the LDAP port configured in Configuration/3rd Party in PAM is pointing to port 3268 (unsecure) or port 3269 (secure) which correspond to the Global Catalog ports for the forest. Pointing LDAP to the standard LDAP ports, 389 or 636 will result in objects being visible in the browser but not able to import them
It is worth noting that when the port is correctly configured, we will be able to see the different subdirectories in the forest in the LDAP browser, whereas if we are pointing to port 389 or 636, these will not be visible in the LDAP browser, even if it will possible to navigate to them or even to see the different devices in the groups containing multi-domain objects
Feedback
