Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7346: How to skip LDAP probe for one-way trusted domain controller(s)

Centrify DirectControl ,  

22 August,16 at 09:48 PM

Background:
Two domains are configured with a one-way trust. Domain A is the user domain. Domain B is the resource domain. Domain B trusts Domain A. 

Problem:
CentrifyDC on a machine in Domain B trying to query Domain A via LDAP 389?

Solution:
Starting with Suite 2016 (cdc 5.3.0), we have implemented a new parameter in
/etc/centrifydc/centrifydc.conf to address this:

adclient.skip.unused.outbound.trusts:

This configuration parameter specifies whether you want to prevent the agent from sending LDAP queries to outbound trust domains that do not have users in Centrify zones. If you set this parameter to true, the agent will only send network queries to outbound trust domains that have users in Centrify zones. If you are manually setting this parameter, the parameter value must be true or false. If the parameter is not explicitly defined in the configuration file or by group policy, its default value is false. 'adreload' is needed to take effect of the new setting, then run 'adflush -t' to flush the trust domain cache

Note:
Another parameter in
 /etc/centrifydc/centrifydc.conf that can be used to prevent the agent from sending network queries to outbound trust domains.

adclient.excluded.domains:

This configuration parameter specifies a list of domains to exclude from the list of trusted domains. For example, you might want to exclude specific domains that are contained within a trusted forest. To specify domains to exclude, enter one or more domain names in domains FQDN format, separated by spaces, For example:

adclient.excluded.domains: eng.acme.com qa.acme.com

The Centrify agent does not probe any excluded domains and consequently ignores users from these domains. The default value for this parameter is the empty list, which does not exclude any domains.










 

 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.