Users Base Point configuration for the adapter

You can configure the Active Directory Adapter to support both sub-domains and multiple domains through the base point feature on the adapter service form.

For more information on configuring the service form, see the IBM® Security Identity Governance and Intelligence product documentation.

The base point for the Active Directory Adapter is the point in the directory server that is used as the root for the adapter. This point can be an OU or DC point. Because the base point is an optional value, if a value is not specified, the adapter uses the default domain of the workstation on which it is installed.

The following definition is an example of a base point defined from the root of the directory server:

dc=irvine,dc=IBM,dc=com

The following definition is an example of a base point defined from an organizational unit level:

ou=engineering,dc=irvine,dc=IBM,dc=com

The syntax of the base point also allows for an optional workstation name to prefix the base point DN, for example server1/dc=ibm,dc=com. This causes the adapter to bind to a specific server instead of connecting to the first available server when responding to an active directory bind request.

You can specify more that one target server for the base point on the Active Directory Adapter service form on IBM Security Identity Governance and Intelligence and in the Active Directory Adapter registry. Each target server must be separated by | as a delimiter. For example,
Base Point DN on the service form with more than one target server:
DC01|DC02|DC03/OU=engineering,DC=irvine,DC=IBM,DC=com
Base Point DN on the service form with only one target server:
DC01/OU=engineering,DC=irvine,DC=IBM,DC=com
Base Point DN on the service form with no target server:
OU=engineering,DC=irvine,DC=IBM,DC=com
The adapter iterates through all the target servers specified in the base point on the service form. The adapter uses the first available target server.
Note:
  • There is a limit of 240 characters for the Base Point DN attribute on the adapter service form.
  • The adapter service form and registry can specify their own set of target servers. However, the target servers specified on the service form are considered a high priority.
  • When you do not provide a base point on the service form, the adapter does not use the registry.
  • Specify the target server by using the adapter registry because it is cached to improve the performance compared to specifying on the adapter service form. The target server list on the service form is not cached and is parsed in each request to find all target servers.
  • Use the agentCfg.exe to create and modify adapter registry keys. Restart the adapter service after you add or modify the registry keys. When the base point or target server have Unicode characters, use regedit to create registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Access360\ADAgent\Specific.
Note: Do not create services that overlap in scope in the directory tree. This could result in duplicate account creation during reconciliation.