K2 Underground » Feedback and Community Contrib... » How to’s and Best Practices (f... » Re: Configuring for Users and K2 Server/Workspace in separate Domains
Configuring for Users and K2 Server/Workspace in separate Domains

Last post 01-11-2008, 4:06 PM by scottforce. 4 replies.
Sort Posts: Previous Next

  •  01-10-2008, 12:40 PM 21009

    Configuring for Users and K2 Server/Workspace in separate Domains

    Unable to 'see' second domain in Workspace or Studio. This is a show stopper.
    Currently the K2 server, workspace, and db all reside in {Domain1}.
    99% of future system users' accounts will reside in {Domain2}.
    Unable to send notifications, assign tasks, or set permissions for users on {Domain2} until K2BP recognizes them.

    Here are current attempts to date to modify the hostserver database, securitylabels table:

    UPDATE [HostServer].[dbo].[SecurityLabels]
    SET AuthInit = '<AuthInit><Domain>{DOMAIN1}</Domain><Domain>{DOMAIN2}</Domain></AuthInit>'

    ,[RoleInit] = '<roleprovider>
    <init>ADCache=10;LDAPPath=LDAP://DC={DOMAIN1},DC=LOCAL;ResolveNestedGroups=False;
    IgnoreForeignPrincipals=False;IgnoreUserGroups=False;
    MultiDomain=True;DataSources=&lt;DataSources&gt;

    [[+++ THIS IS THE PART CHANGED IN EACH ATTEMPT +++]]

    &lt;/DataSources&gt;;;</init>

    <login />

    <implementation assembly="ADUM, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" type="ADUM.K2UserManager2" />

    <properties>
    <user>
    <property name="Name" type="System.String" />
    <property name="Description" type="System.String" />
    <property name="Email" type="System.String" />
    <property name="Manager" type="System.String" />
    <property name="SipAccount" type="System.String" />
    <property name="ObjectSID" type="System.String" />
    </user>
    <group>
    <property name="Name" type="System.String" />
    <property name="Description" type="System.String" />
    </group>
    </properties>
    </roleprovider>'

    WHERE SecurityLabelName = 'K2'


    /*
    -- format 1: format attempt with 2 top-level domains

    &lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;&lt;DataSource Path="LDAP://DC={DOMAIN2},DC=LOCAL" NetBiosName="{DOMAIN2}" /&gt;
    */


    /*
    -- format 1a: format attempt with 2 top-level domains + mike talley mod 1

    &lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;&lt;DataSource Path="LDAP://{DOMAIN2}.LOCAL, DC={DOMAIN2},DC=LOCAL" NetBiosName="{DOMAIN2}" /&gt;

    */

    /*
    -- format 1b: format attempt with 2 top-level domains + mike talley mod 2
    &lt;DataSources&gt;&lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;&lt;DataSource Path="LDAP://{DOMAIN2}.LOCAL/CN=Users, DC={DOMAIN2},DC=LOCAL" NetBiosName="{DOMAIN2}" /&gt;

    */

    /*
    -- format 1c: format attempt with 2 top-level domains + mike talley mod 3
    &lt;DataSources&gt;&lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;&lt;DataSource Path="LDAP://+++ DOMAIN_CONTROLLER +++.{DOMAIN2}.LOCAL/CN=Users, DC={DOMAIN2},DC=LOCAL" NetBiosName="{DOMAIN2}" /&gt;

    */

    /*
    -- format 2: alternate format attempt with child domain relationship
    &lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;&lt;DataSource Path="LDAP://DC={DOMAIN1},DC={DOMAIN2}.LOCAL,DC=LOCAL" NetBiosName="{DOMAIN2}" /&gt;

    */

    /*
    -- restore to original format

    &lt;DataSource Path="LDAP://DC={DOMAIN1},DC=LOCAL" NetBiosName="{DOMAIN1}" /&gt;

    */

    Any additional recommendations greatly appreciated!!

    Thanks!!

  •  01-10-2008, 12:45 PM 21011 in reply to 21009

    Re: Configuring for Users and K2 Server/Workspace in separate Domains

    This may help, it was in another thread

    Unfortunately, there can be only one label for an ADProvider at the moment. Therefore, if you have sub domains or domains in a different forest you will have to add those domains to the same security label by modifying the AuthInit and RoleInit fields in the securitylabels table in the Host Server database as follows :

     

    • The AuthInit should be modified to contain both Domain NetBIOS names. E.g.

                    <AuthInit>

                    <Domain> PARENTDOMAIN </Domain><Domain> CHILDDOMAIN1</Domain>

                    </AuthInit>

     

    • The RoleInit is a little trickier. You need to do the following :

    Ø  First you will have to set the “MultiDomain” property to “True” – Very Important

    Ø  Secondly you will have to edit the DataSources property(which you’ll see have to be escaped) by following my example below :

    o   DataSources=

    &lt;DataSources&gt;

    &lt;DataSource Path="LDAP://DC= ParentDomain,DC=COM" NetBiosName=" PARENTDOMAIN "/&gt;

    &lt;DataSource Path="LDAP:// DC= ParentDomain ,DC= ChildDomain1,DC=com" NetBiosName=" CHILDDOMAIN1"/&gt;

    &lt;/DataSources&gt;

     

    Here is an example script :

     

    Use hostserver

    Update securitylabels

    Set authinit = '<AuthInit><Domain> PARENTDOMAIN </Domain><Domain> CHILDDOMAIN1</Domain></AuthInit>',

    Roleinit =

    '<roleprovider>

    <init>ADCache=10;MultiDomain=True;IgnoreForeignPrincipals=False;IgnoreUserGroups=False;LDAPPath=LDAP://DC=DOMAIN1,DC=COM;ResolveNestedGroups=False;DataSources=

    &lt;DataSources&gt;

    &lt;DataSource Path="LDAP://DC= ParentDomain,DC=COM" NetBiosName=" PARENTDOMAIN "/&gt;

    &lt;DataSource Path="LDAP:// DC= ParentDomain ,DC= ChildDomain1,DC=COM" NetBiosName=" CHILDDOMAIN1"/&gt;

    &lt;/DataSources&gt;

    </init>

    <login /><implementation assembly="ADUM, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" type="ADUM.K2UserManager2" /><properties><user><property name="Name" type="System.String" /><property name="Description" type="System.String" /><property name="Email" type="System.String" /><property name="Manager" type="System.String" /><property name="SipAccount" type="System.String" /><property name="ObjectSID" type="System.String" /></user><group><property name="Name" type="System.String" /><property name="Description" type="System.String" /></group></properties></roleprovider>'

    where securitylabelname='LABELNAME'

     

     

     

  •  01-10-2008, 1:38 PM 21015 in reply to 21011

    Re: Configuring for Users and K2 Server/Workspace in separate Domains

    Thanks, Chris... that post was actually the foundation for a lot of what I have done. Additional insight GREATLY appreciated if available.


    Thanks.

  •  01-11-2008, 6:48 AM 21030 in reply to 21015

    Re: Configuring for Users and K2 Server/Workspace in separate Domains

    Hi Scott,

    Did you restart your K2server after you made the change? The datasources are loaded with the startup.

    Cheers

    Gert

    The statements and opinions made in my postings are my own, and do not reflect the opinions of SourceCode Technology Holdings, Inc. or its subsidiaries. All information is provided as is with no warranties, express or implied, and grants no rights or licenses.

  •  01-11-2008, 4:06 PM 21040 in reply to 21030

    Re: Configuring for Users and K2 Server/Workspace in separate Domains

    Yes, Gert, thanks. Have shut down K2 Server prior to DB mod each time, then re-start it after each update.

    Additional recommendations are appreciated!

    Community at large: Still looking for the proper data to enter into the hostserver database, securitylabels table; AuthInit and RoleInit fields.

    Also: Are there other places where I need to make settings/configurations as well?

    THANKS!!
View as RSS news feed in XML