Resolution
Consider the following setup:
1) Windows 2008 AD Domain Server (acme.com)
- Single domain server in it's own forest
- Windows 2003 domain functional level
- Two way trust configured with emea.acme.com
2) Windows 2008 AD Domain Server (emea.acme.com)
- Child domain of above (acme.com)
- Windows 2003 domain functional level
- Two way trust configured with acme.com
Create two universal security groups in acme.com with the following members:
Note: Reference the following article on Active Directory Group Scope):
(Group)
CN=GroupA,OU=employees,DC=acme,DC=com
(memberOf)
CN=jsmith,OU=employees,DC=acme,DC=com
CN=djones,OU=employees,DC=emea,DC=acme,DC=com
(Group)
CN=GroupB,OU=employees,DC=acme,DC=com
(memberOf)
CN=djones,OU=employees,DC=emea,DC=acme,DC=com
One can browse these groups using an ldap browser (Softerra) and see all members.
If you configure an AD based application in Access Governance Suite (5.1p3, for example) with the following:
searchScope: SUBTREE
port: 3268
searchDN: DC=acme,DC=com
iterateSearchFilter: (memberOf=CN=GroupA,OU=employees,DC=acme,DC=com)
or
iterateSearchFilter: (memberOf=CN=GroupB,OU=employees,DC=acme,DC=com)
and run "connectorDebug AD iterate", you will see all users belonging to each group.
The key to this is that you connect to the global catalog server (port 3268) instead of the standard ldap port of 389.
If you connect to port 389, then you will have problems viewing all the group members.
You should always verify operation by using an ldap browser (such as Softerra), which should behave like identityIQ, in what data it displays.
An explanation of Global Catalog Servers within Active Directory can be found here:
http://technet.microsoft.com/en-us/library/cc977998.aspx