AD Integration

Latest response

Can you set up AD integration with IDM to manage users and authenticate with AD credentials but without creating a new Domain for the IDM.

Is the integration possible if both AD and IDM reside in the same Domain.

Responses

Hello,

It is possible to use same AD domain on IdM, but it's not recommended, you'll probably have DNS issues. (ex: _kerberos._tcp.your.domain.name will conflict)

Why don't you want to create a Domain for IdM?

Hello Om,

It is not possible to have AD Domain Controllers and IdM Servers exist in the same DNS domain.

Please see the following documentation with DNS requirements: Planning a cross-forest trust between IdM and AD - 6.5. Setting up DNS

In summary:

  • IdM searches for other LDAP servers by requesting DNS Service Records (SRV) for _ldap, and it must receive a response from only IdM servers - AD DCs responding to _ldap requests will not provide information to IdM servers properly

  • AD will establish a Kerberos domain, and IdM will establish its own Kerberos domain. Each must be unique, and each must be aware of every server in its domain in order to provide proper authentication of service traffic.

You may use Direct Integration (sssd with realm join, or Winbind with net ads join) to have individual Linux servers in the same DNS domain as AD, but you cannot combine these methods with IdM (which sets up its own Kerberos realm and uses Indirect Integration via an AD-IdM Trust).

Take care,

Josip - IdM Documentation Team

Former IdM Technical Support Engineer