Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
It would be great it would be possible when for example connecting to Microsoft AD, to add failover URLs directly in the directory connector.
When using crowd to connect to Microsoft AD today, it's possible to add failover by creating another (identical) directory and then adding them both to the applications directories.
However this setup have many drawbacks.
In our setup we have a global Microsoft AD (which are available at 4 URLs/IPs), and in our setup for our country it fetches only "our" users from the AD (2000 of total 40.000). We also have our "jira" groups created locally in the crowd instance.
Using the above approach gives the following issues:
- To have multiple directories with the same config (except the URL), is errorprone and its easy to do a mistake with one directory when updating its config.
- Since all groups are created in the primary directory, we must use directory aggregation in order to have the groups if the users logs in from the failover group. However directory aggregation is not wanted for our other directories with customer users.
- It´s not possible from the failover directory to filter out who can authenticate (e.g. users in the confluence-users group only, instead everyone must be able to authenticate in crowd --> we need to have higher crowd license than nescessary.
- Crowd must duplicate the same users since it need to fetch them again to all directories, unless using delegated authentication directory. However with delegated directory, the application can´t longer use the incremental synchronization.