A Global Catalog is a Global Catalog Server. A Global Catalog
holds a full set of attributes for the domain in which it resides
and a subset of attributes for all objects in the Microsoft Active Directory Forest. The
primary two functions of a Global Catalog within the Microsoft Active Directory are logon capability
and Microsoft Active Directory
queries.
A Global Catalog in a Microsoft Active
Directory installation with the product is a single Lightweight Directory
Access Protocol (LDAP) repository that contains a subset of user information
from all the domains in the forest. This information includes user
IDs, authentication information, and groups, but not all the group
information.
You can use the Global Catalog on any domain controller
in the forest, even in subdomains. The Global Catalog is a solution
to the WebSphere® Application
Server limitation of a "single registry". There are limitations to
the Global Catalog. Users from the local domain controller contain
group "memberOf" information. Users from a foreign domain controller
contain limited "memberOf" information because the global group information
is not replicated to every domain controller.
Nested global groups in universal groups
This
is a typical structure of group membership and consists of the following
characteristics:
- Users are distributed across domain controllers in a forest containing
multiple domain controllers.
- Users are defined in global groups within their own local domain
controller.
- A universal group contains the global groups, which reflects a Java Platform Enterprise Edition
(Java EE) role that maps to
a set of users spread across multiple domain controllers.
The following figure illustrates nested global groups
in universal groups.
Figure 1. Nested global groups in universal
groups .
This figure illustrates nested global groups
in universal groups.
It is
a challenge to develop methods of configuring WebSphere Application Server to be able
to find users and their group memberships when the information is
spread across multiple domain controllers. One method requires that WebSphere Application Server
follow LDAP referrals to find the home domain controller for each
user and that WebSphere Application
Server perform nested group queries.
Avoid trouble: This
approach does not use the Global Catalog.
gotcha
Another method
and the simplest approach has universal groups that contain users
and uses a Global Catalog, which requires using referrals. The figure
that follows illustrates this method.
Figure 2. Locating
group memberships.
This figure illustrates the process
of locating group memberships.
A variation on this method is to not use universal
groups. You can use this approach when universal groups are not available.
Avoid trouble: This approach does not use
the Global Catalog.
gotcha
You might consider using the Microsoft Active Directory
Global Catalog as the WebSphere Application
Server registry. There are three scenarios; however, the first two
scenarios demonstrate how failures occur.
- If you configure WebSphere Application
Server to use Global Catalog as its LDAP registry and follow referrals,
then individual users are visible in each domain controller. Because
a user must exist only once in the registry, all logins fail.
- If you configure WebSphere Application
Server to use Global Catalog as its LDAP registry and do not follow
referrals and the individual users are within global groups, then
group membership is incomplete. See the following figure, which illustrates
this limitation.
Figure 3. Global catalog (without using referrals).
An illustration of a Global Catalog without using referrals
- When you configure WebSphere Application
Server to use Global Catalog as its LDAP registry, do not follow referrals,
and users are directly contained within universal global groups, then
group membership is complete.
Avoid trouble: When you select any of
these scenarios, consult appropriate Microsoft Active Directory information
to completely understand any implications the scenarios might have
on your configuation planning.
gotcha