Handling LDAP Referrals #406
Description
Hi,
First of all thanks for this great tool and superb documentation. As a database specialist I have no knowledge of Active Directory/LDAP, YAML or Python, but thanks to your documentation I was able to setup a successful synchronization from AD to PostgreSQL.
However, now I run into an issue I can't find a solution for:
We have multiple synchronized active directories, at least one in EMEA and one in the US. Perhaps more, but I'm only aware of those two. We also have multiple sub domains for (at least) emea and US.
Hence, we have these two:
- DC=amer,DC=OurCompany,DC=com
- DC=emea,DC=OurCompany,DC=com
When I configure ldap2pg to login to the EMEA AD server and configure a PostgreSQL synchronization for a group in the AMER domain, I get this error in the verbose=debug ouput:
[ldap2pg.script CRITI] Failed to query LDAP: {'info': u'Referral:\nldap://amer.OurCompany.com/OU=AWS,OU=Global,DC=amer,DC=OurCompany,DC=com', 'msgid': 4, 'msgtype': 101, 'result': 10, 'desc': u'Referral', 'ctrls': []}.
So, I digged a bit deeper using ldapsearch:
When I use ldapsearch to login to the emea AD/LDAP server and search for a group in an amer domain, I get only this result:
# search result search: 2 result: 10 Referral
Plus a link to the other AD server. But no group member details.
Doing it the other way around, I get the same results. Hence I can only get group members for groups of the domain that matches the AD-servers domain. I searched around a bit on the net and this seems like a pretty normal situation in the AD world, not duplicating the whole tree, but referring to the other server for details.
I need to be able to sync from both of these domains, how can I configure ldap2pg to search in both?
Thanks!
Arjan