Handle A Multi-Domain Active Directory

The Active Directory Connector for ACLs indexes Active Control List (ACL) information into a configured "sidecar" Solr collection, so that it can be used by other connectors.

For applications involving multi-domain Active Directory, you need one LDAP data source per domain. Here is an example of a multi-domain Active Directory:

Domain Type

lucidworks.com

parent domain

na.lucidworks.com

child domain

can.lucidworks.com

child domain

sa.lucidworks.com

child domain

In this example, you must have several data sources:

ldap://na.lucidworks.com
Base DN: DC=na,DC=lucidworks,DC=com

ldap://can.lucidworks.com
Base DN: DC=can,DC=lucidworks,DC=com

ldap://sa.lucidworks.com
Base DN: DC=sa,DC=lucidworks,DC=com

Please note that querying the Active Directory Global Catalog to have a single LDAP ACL datasource does not work, as the global catalog does not replicate the memberOf attribute of person objects. Doing so results in users not able to see the expected documents.

However, you may be able to set up Active Directory to replicate that attribute. This would allow you to use a single global catalog for your entire Active Directory forest, if desired.