ADDM: Can you configure LDAP to authorize users from multiple domains, or all users from the root domain?

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Discovery


    COMPONENT:

    BMC Atrium Discovery and Dependency Mapping


    APPLIES TO:

    BMC Atrium Discovery and Dependency Mapping



    QUESTION:

    1. We have an appliance that requires access from users in multiple domains. We are using LDAP authentication and group mapping. If we define an appliance LDAP configuration for the domain, users in that domain can access the appliance but users from other domains can not access it. Should we be able to configure LDAP such that users from multiple domains are able to access the appliance? Is there a way to configure multiple search bases and templates?

    2. We have a root domain which does not seem to allow users to log in but we are successful when we use the specific "dc" domain naming conventions for one of our domains. We had anticipated that using the root domain as the Search Base option would allow all child domain members to be located and authenticated.
     


    ANSWER:

     

    Legacy ID:KA417328

      

    1. Unfortunately the answer is that you can only have one LDAP configuration. The only option is to persuade the AD/LDAP backend to interpret the search query to cover multiple domains, somehow. An enhancement request has been submitted in the IDEAS forum: see https://communities.bmc.com/ideas/7800

    2. It depends on what exactly you mean by root domain, and how the directory service that you are connected to is structured. In this case, it seems that the LDAP server does not know about anything higher up that works. That is, you might have two directory services configured with structures under:

    a: dc=Prod,dc=acme,dc=com

    b: dc=Dev,dc=acme,dc=com

    Just because they have "dc=acme,dc=com" in common doesn't mean server b can find Prod structure, if it is given a search base higher than dc=Dev,dc=acme,dc=com. In this scenario, there is simply *nothing* above dc=Prod,dc=acme,dc=com on a or dc=Dev,dc=acme,dc=com on b.

     


    Article Number:

    000012695


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles