Handle a Multi-Domain Active Directory
The Active Directory Connector for ACLs indexes Access Control List (ACL) information into a configured "sidecar" Solr collection, so that it can be used by other connectors.
For applications involving multi-domain Active Directory, you need one LDAP data source per domain. Here is an example of a multi-domain Active Directory:
| Domain | Type |
|---|---|
lucidworks.com |
parent domain |
na.lucidworks.com |
child domain |
can.lucidworks.com |
child domain |
sa.lucidworks.com |
child domain |
In this example, you must have several data sources:
ldap://na.lucidworks.com
Base DN: DC=na,DC=lucidworks,DC=com
ldap://can.lucidworks.com
Base DN: DC=can,DC=lucidworks,DC=com
ldap://sa.lucidworks.com
Base DN: DC=sa,DC=lucidworks,DC=comPlease note that querying the Active Directory Global Catalog to have a single LDAP ACL datasource does not work, as the global catalog does not replicate the memberOf attribute of person objects. Doing so results in users not able to see the expected documents.
However, you may be able to set up Active Directory to replicate that attribute. This would allow you to use a single global catalog for your entire Active Directory forest, if desired.