Windows AD and multiple domains

I am inquiring to find out
• if Ignition can support cross domain users
• If the gateway config can support cross domains and get User list and roles derived from AD.
• Any known issues or concerns that I might need to watch for (using multiple domains)?

I have previously used AD (however on a single domain) and am comfortable with the gateway configs running various LDAPs for gateway properties.

if you have a ‘forest’ with multiple domains, you can point to your Global Catalog Domain Controller servers and change the default port to the GC port (3268).
I’m pulling users & groups from 4 domains that are part of the same forest. I’m not sure how this will work with cross domains with 2 way trusts or that type of setup, but its a start, maybe. ?

Hi David,

Thank you for the response. If I understand your response correct, it appears that you have a parent-child domain setup, but still part of one big happy family. Some folks here are adamant of using their own domain and not the parent-child nor setting up different OU’s within the big forest. Security guys are already fretting over poking holes and trust relations in the envisioned multi domain request. I would imagine that there are really no such usage or application where users are across multiple domains in multiple forest, without built in trusts?

On a separate note, how well is your multi domain in one forest working out for you? Should I assume users in multi domains are in their own plant? Do you have issues with users from corporate reaching across any domain within your setup? I have been thinking of this for some time but have no lead in or sufficient info.


We’re still at very early days in setting up LDAP role management inside Ignition. Its one of those things that our developers have been wishing for for years but we hadn’t gotten around to looking at until now.
We need to get it working in over SSL to comply with new security requirements before we roll it out production-ready…
But the few tests we’ve done show that is is doable, as long as you’re not scared of LDAP filters :wink:

Example of our user list filter, which finds all users directly or indirectly (via nesting) members of the “Global_Group_IGNITION_USERS” :

and the user search base : DC=domain,DC=int

for the domain controller, i’m setting the domain name itself, as DNS takes over and supplies the ‘closest’ DC based on sites & services topology (in theory)

1 Like