Multiples AD Connection - mappings

fmbiete · August 20, 2015, 9:29am

Hi,

I’m trying to connect multiples AD to a unique UCS instance. Assistant works great, but it leaves the synced objects (users, computers, groups…) inside the main containers.

Because I want to connect to multiples AD, I would like to separate them in containers. So if my ldap base is “dc=univention,dc=example,dc=com”

DC A -> [users,groups,computers],dc=a,dc=univention,dc=example,dc=com

I have changed it in /etc/univention/connector/mapping, but it doesn’t seems to make the trick.
What am I missing?

Thanks!!

Moritz_Bunkus · August 20, 2015, 10:27am

Hey,

unfortunately syncing different ADs to different containers inside the UCS is not supported by the AD connector yet. I know that the documentation seems to indicate differently, but we’ve had this problem with one of our customers, too, and during that process we contacted Univention. They confirmed that it hasn’t been implemented yet. There are bug reports open for it: 5407 (in German only) about the functionality itself and 38447 for the documentation.

fmbiete · August 20, 2015, 10:32am

Hi Moritz,

I intented to have one UCS setup syncing against multiple AD DC, but if every user will sync in the same location, will I have problems with already existing names? For example; Administrator account in each AD.
How did you workaround this limitation?

Regards,

Moritz_Bunkus · August 20, 2015, 10:53am

It’s even worse than simple name conflicts. If you use bi-directional sync then all users from AD1 will ultimately end up in AD2 and vice versa: a user from AD1 is synced to UCS, and in a second round that user is synced from UCS to AD2.

We couldn’t work around it, unfortunately, and had to pursue other ways of solving our initial problem for which we thought the AD connector might be a solution.