I have an Active Directory forest with three domains:
- a.lan
- b.lan
- c.b.lan
I've defined an Insight object type called Groups that has three sub child object types, one for each domain.
I can import a.lan easily enough by specifying ldaps://a.lan and setting DC=a,DC=lan as the BaseDN.
But if I try to import b.lan (with URL of ldaps://b.lan and baseDN of DC=b,DC=lan), my import task also pulls in records from c.b.lan, which is an entirely different domain. I haven't seen this behavior before in any other LDAP tool, which suggests that the Riada implementation is either buggy or, um, novel.
I can't specify a search filter like !(ou:dn:c.b.lan) because AD doesn't allow wildcard searches on distinguishedName. I could create six or seven separate import jobs for different OUs (setting selector to OU=firstOU for one, and OU=secondOU for another), but then I wouldn't be able to use the Missing objects directive to flag records that have disappeared.
I'm going to try authenticating with a userid that only has permission for the b.lan domain. Hopefully that will do it. Any other ideas would be appreciated.
