2 Replies Latest reply: Jan 29, 2013 5:25 PM by user602387 RSS

    AD Trust question for the OIM AD Connector

    user602387
      We have a scenario in that we are provisioning to one Active Directory (AD1) and there is a forest-forest trust with another AD forest (AD2). We would like to provision a user in AD2 (UserAD2) to a domain local group in AD1 (GroupAD1). Has anyone ever had to accomplish this with OIM 11GR1?

      In a Trust environment, UserAD2 will have an objectSID attribute that uniquely identifies that record. This ObjectSID value will be added into a ForeignSecurityPrincipals container in AD1. From that point forward, the UserAD2 can be referenced by that entry for any domain local group in AD1. This is something that is natively handled by Active Directory when using ADUC (Active Directory Users and Computers).

      The question we are trying to answer for our solution is whether or not OIM can add the foreign user to a local AD group and leverage the built in AD trust functionality in the same way ADUC does. Perhaps this is even a question as to whether or not the OIM Connector is just doing ldap operations or is actually using ADSI…

      We are using OIM 11GR1, MSFT Connector version 9.1.1.5.0. Any help and insight would be much appreciated.
        • 1. Re: AD Trust question for the OIM AD Connector
          Rajiv Dewan
          Did you go through AD Connector Guide:

          Enabling Reconciliation and Provisioning Operations Across Multiple Domains

          You can perform reconciliation and provisioning operations across domains. This means that, for example, you can assign a user in one domain to a group in another domain
          • 2. Re: AD Trust question for the OIM AD Connector
            user602387
            Thanks Rajiv.

            I have taken a look at it and it does seem that it will work with a Domain-Domain trust within a forest, but I think the one thing that isn't clear to me right now is whether or not this will work with a Forest-Forest trust. There are quite a bit of references to the AD Global Catalog (GC) and how to configure OIM to leverage it. I have limited knowledge of the inner workings of AD, but it seemed to me that the Global Catalog was something specific to a single forest.

            I could be completely wrong about the GC though. If OIM can leverage the GC and the GC can allow OIM to reference objects (users specifically) that are stored external to the forest (though connected via Trust) then I believe that would suffice. Can anyone validate/confirm such a scenario or even point me to the right documentation?

            Edited by: user602387 on Jan 29, 2013 3:25 PM