Default and Named Cells in AD Bridge
When you create a cell, AD Bridge creates a container object, CN=$LikewiseIdentityCell, in the domain root or in the OU where you created the cell.
There are two types of AD Bridge Cells:
- Default Cell: A cell located at the root of the domain, the Linux/Unix specific data is stored directly in the AD user or group object. It gets its name from becoming the default when no other cells are found. This should be your primary method for mapping identities.
In a multi-domain or multi-forest enterprise, the Default Cells of the domains merge into a single, enterprise-wide Default Cell, where users from each domain can authenticate with their credentials. Users' UIDs, GIDs, and other settings are defined separately in each domain, but nothing additional is needed at the domain-level to enable the user to authenticate.
Each forest that has a two-way transitive forest trust with the computer's forest is listed in the Default Cell. Each domain, in each forest, can opt in to this enterprise-wide Default Cell by creating a Default Cell in that domain. Any user who is listed in the Default Cell in a domain can be seen by the AD Bridge-enabled operating systems of any computer joined to the Default Cell.
When used with Directory Integrated mode, various attributes are indexed in the global catalog. This enables faster look-ups and login across the forest.
- Named Cell: A Named Cell is associated with an organizational unit (OU). It gets its name from the OU the cell resides in. The Unix-specific data is stored in CN=Users and CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user or group information with a backlinked security identifier. This allows for unique mapping outside of what is configured in the user/group object.
Which cell should we use?
Default Cell should always be used. It allows for seamless integration across the forest and naturally uses the information storage in the user/group attributes.
Named Cells should be used when there are systems that require different mapping from what is in the Default Cell or for foreign users (across 1-way trusts) that we cannot easily look up their information.