是否可以将RSA Archer与多个Active Directory集成在一起? [英] Is it possible to integrated RSA Archer with multiple Active directory?

问题描述

是否可以将RSA Archer与多个Active Directory集成在一起?

Is it possible to integrated RSA Archer with multiple Active directory ?

推荐答案

一切皆有可能，只要您愿意付出多大的努力即可:)

Everything is possible, it just a matter how much effort you are willing to apply :)

选项1 (推荐):RSA Archer v5.x支持多种LDAP同步配置.这样一来，您就可以拥有不止一台AD服务器，可以与用户进行同步.
副作用:
[a]如果AD1和AD2都具有相同的用户名，那么您将在Archer中以不同的域创建两个用户.使用手动登录时，用户将需要提供不同的域.
[b]不确定启用SingleSignOn时它将如何工作.我认为SSO仅适用于主域，但是我不确定-您可能要测试一下.

Option 1 (recommended): RSA Archer v5.x support multiple LDAP sync configurations. So you can have more than one AD server you can sync users against.
Side Effects:
[a] If AD1 and AD2 both have user with the same name, then you will have two users created in Archer in different domains. With manual login users will need to supply different domains.
[b] Not sure how it will work with SingleSignOn enabled. I think that SSO will work only for the primary domain, but I'm not sure - you may want to test this.

选项2 (AD解决方法):我对Active Directory技术知之甚少，但是我相信您可以通过AD2中的某些组可以在多个AD之间建立信任关系的方式驻留在AD1中的另一个组中(它们也会自动同步).这样，您只能使用Archer针对一个AD进行同步，但是同时拥有来自两个AD的用户.

Option 2 (AD work around): I have little knowledge of Active Directory technology, but I believe that you can establish trust relationships between multiple AD's in a such a way that some group from AD2 can reside within another group in AD1 (and they will autosync as well). This way you can sync only against one AD with Archer, but have users from both AD's.

选项3 (数据库后端解决方法):在数据库中，您可以找到存储LDAP配置，用户以及用户到用户组映射的表.您可以引入一个触发器，该触发器将在每次LDAP同步后复制用户表和用户组表.因此，在运行两个LDAP同步后，您将拥有两个备份副本.然后，使用您的SQL触发器，您可以合并它们并覆盖原始表.使用这种方法，您可以针对多个LDAP源同步同一"archer域"中的用户.
副作用:
[a]您必须编写和维护自定义SQL代码.
[b]在您所有的LDAP同步都被一个接一个地执行并由触发的代码进行处理之前，用户可能不会期望对环境具有适当的访问权限.

Option 3 (database back end work around): In the database you can find tables where the LDAP configuration, users, and users to groups mapping is stored. You can introduce a trigger that will make a copy of users table and usergroup tables after each LDAP sync. So after you run two LDAP syncs, you will have two back up copies. Then with your SQL trigger you can merge them and override the original table. With this approach you can sync users within same "archer domain" against multiple LDAP sources.
Side Effects:
[a] You have to write and maintain custom SQL code.
[b] Users can expect not to have proper access to the environment until all of your LDAP syncs are executed one by one and processed by the triggered code.

祝你好运！

这篇关于是否可以将RSA Archer与多个Active Directory集成在一起?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！