This article describes how to configure Telligent Community in a multi-domain environment.
[toc]
Prerequisites
This article assumes you've already performed the standard LDAP configuration. This article only requires a few changes to the configuration to work with multiple domains.
Configure LDAP
To configure LDAP to work in a multi-domain environment, you need to point Telligent Community to the top-level domain's Global Catalog server. To do this, you need to change the Server and port settings in the LdapConnection section of your web.config. You should change the Server to use GC:// instead of LDAP://. Use port 3268 instead of port 389.
<LdapConnection>
<add key="Server" value="GC://mycompany.com" />
<add key="Port" value="3268" />
<add key="Authentication" value="Secure" />
</LdapConnection>
The Server setting is case-sensitive.
Be sure that the server in the GC://mycompany.com setting is the name of the root domain in the forest.
When using just LDAP://, Telligent Community will only be able to look up users within that specific domain. By using the Global Catalog, it is able to look up users and groups in any child domains as well.
Read-only operation
Currently when using a multi-domain environment, Telligent Community won't be able to allow profile updates. The Global Catalog is read-only, and Telligent Community doesn't support issuing updates to the individual domain controllers within the environment.
To avoid any issues, it is recommended to edit the ldap.config and change the AccessLevel settings to "ReadOnly" for all Attribute entries.
Notes about single sign-on
With a multi-domain environment, take special care about potential naming conflicts across domains. If there are two users with the username "jdoe" across two domains, Telligent Community may have issues knowing which user to retrieve from LDAP.