Simplifying Access to Multiple Active Directory Domains
We got a question from a customer via our comments:
We are looking to deploy OVD and the AD connector in our environment. Our environment contains several domains with various levels of trusts. We are looking for best practices on this type of deployment. Currently we have deployed OAM/OID and OIM.
This is a common deployment scenario - customer has multiple LDAP directories (in this case they are different Active Directory domains). The simplest approach is to have a common root such "dc=mydomain,dc=com". And then create an LDAP adapter for each domain. These adapters will be created as branches for example imagine you have one domain for HQ, one for Finance and one for Engineering you could configure OVD so that each become "virtual" children such as "ou=hq,dc=mydomain,dc=com" , "ou=finance,dc=mydomain,dc=com" and "ou=engineering,dc=mydoman.com". Each of these adapters can be mapped to the proper remote branch. OVD will take care of translating the directory names (aka Distinguished Names).
Then when configuring applications that use LDAP for authentication and authorization, you would set their search domain to "dc=mydomain,dc=com". When this is done - the application will be able to authenticate any user found in any of those domains, regardless of any trust relationships. This is because trusts don't really apply to LDAP operations (they are a relationship mechanism via Kerberos).
More information on configuring this kind of setup can be found on the OVD-OAM Oracle By Example.
Thank you for the question and let us know if you need any further clarification.
