UCM LDAP Integration with Multiple Forests

Unanswered Question
May 5th, 2010

I have a customer with 2 domains in 2 separate forests (a 2 way trust exists between the 2 domains).  I have read through the UCM SRND and have not found anything on integration with more that one forest.

Based on what I read & past expierence I have come to the following conclusions:

  1. I can probably syncronize users from both domains without any issues (assuming there are not duplicate usernames)
  2. I will only be able to authenticate users for 1 of the 2 domains.

Has anyone come accross this?

Any suggestions?

Thanks

Frank

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fmarottactg Mon, 05/17/2010 - 14:00

Michael,

I am trying to run through this doc and I am getting the following error when trying to create the user-proxy object

C:\Windows\ADAM>ldifde -i -s localhost:389 -c CN=Configuration,DC=X #Configurati
onNamingContext -f MS-UserProxy-Cisco.ldf -j c:\windows\adam\logs
Connecting to "localhost:389"
Logging in as current user using SSPI
Importing directory from file "MS-UserProxy-Cisco.ldf"
Loading entries.
Add error on entry starting on line 10: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operati
on, data 0, v1772
0 entries modified successfully.
An error has occurred in the program

My ldf file is as follows;

#==================================================================
# @@UI-Description: AD LDS simple userProxy class.
#
# This file contains user extensions for default ADAM schema.
# It should be imported with the following command:
#   ldifde -i -f MS-UserProxy.ldf -s server:port -b username domain password -k -j . -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
#==================================================================

dn: CN=User-Proxy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: top
objectClass: classSchema
cn: User-Proxy
subClassOf: top
governsID: 1.2.840.113556.1.5.246
schemaIDGUID:: bxjWYLbzmEiwrWU1r8B2IA==
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: User-Proxy
adminDescription: Sample class for bind proxy implementation.
objectClassCategory: 1
lDAPDisplayName: userProxy
systemOnly: FALSE
possSuperiors: domainDNS
possSuperiors: organizationalUnit
possSuperiors: container
possSuperiors: organization
defaultSecurityDescriptor:
D:(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)S:
defaultHidingValue: TRUE
defaultObjectCategory: CN=User-Proxy,CN=Schema,CN=Configuration,DC=X
systemAuxiliaryClass: msDS-BindProxy
systemMayContain: userPrincipalName
systemMayContain: givenName
systemMayContain: middleName
systemMayContain: sn
systemMayContain: manager
systemMayContain: department
systemMayContain: telephoneNumber
systemMayContain: mail
systemMayContain: title
systemMayContain: homephone
systemMayContain: mobile
systemMayContain: pager
systemMayContain: msDS-UserAccountDisabled
systemMayContain: samAccountName
systemMayContain: employeeNumber

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

If I comment out the "systemMayContain: samAccountName" line the import runs fine.


Any ideas?

Thanks

Frank

Actions

This Discussion