1. Home
  2. Server
  3. How bind ldap to foreign trusted domain account for application authentification

How bind ldap to foreign trusted domain account for application authentification

Rsdaa 16/12/2021 286

Hello community

I'm using LDAP authentication (A.D) on my application (like redmine, pfsense, or ESXi).

I recently successfully made a trust relationship 2 way between my domain PARIS.france and a foreign domain BERLIN.germany. The domain trust relationship look's OK, DNS too, I can browse each domain.

I did create a local group "application-access" in my A.D PARIS.france, containing user PARIS\Pierre and BERLIN\Otto

But when i try to login from the web application, only Pierre seems to work. Otto can't authenticate.

When i look further, i see in my group that Pierre have a SamAccountName, but Otto it a special kind of object ( this object is just a placeholder for a user or group from a trusted external domain ) and dont have a such attribute.. i guess that why it does not work ?

I never work before with trusted domain, it's a lab i'm doing for understand how it work. I'm trying make BERLIN user's can authenticate in my application trought the classic ldap bind. Of course i could change the binding for bind on the BERLIN active directory.. but that not the way it supposed to work right? I'm stuck since some week now trying to make a very basic thing.

Thank for reading and your guidance.

Regards

Edited Apr 23, 2021 at 19:37 UTC

Popular Topics in Windows Server

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

2 Replies

LDAP is different to AD. the AD trust can be used by native AD authentication scenarios but not LDAP. AD's LDAP interface still uses the LDAP standard so when it lists the users of the new group it will return thier full distinguished name (dn) example:

member: CN=User1,OU=Users,DC=PARIS,DC=francemember: CN=User2,OU=Users,DC=BERLIN,DC=germany

France can still authenticate Germany users, but you need to use the correct ldap syntax or base dn. Typically you can define more than one base dn - so if you add both then it will match. or use fuzzy logic to only match CN from the group.

hum, Ok so if i understand well,

the creation of the AD trust relationship between PARIS.france and BERLIN.germany, make a sort of proxyldap that allow me to query the DC=BERLIN,DC=germany schema from my PARIS.france AD server . Am i right ?

Actually i'm trying to query the DC=BERLIN,DC=germany schema but doesnt seem to work. I did try the following ldapsearch with both a standard user account binding and also domain admin account in in PARIS.france schema.

ldapsearch -H ldap://172.16.1.1 -b "dc=BERLIN,dc=germany" -x -W -D "bind@paris.france"Enter LDAP Password:# extended LDIF## LDAPv3# basewith scope subtree# filter: (objectclass=*)# requesting: ALL## search resultsearch: 2result: 10 Referraltext: 0000202B: RefErr: DSID-031007F9, data 0, 1 access points ref 1: 'berlin.germany'ref: ldap://berlin.germany/BERLIN,dc=germany# numResponses: 1

Edited Apr 29, 2021 at 21:54 UTC


PREV: Nginx Proxy Server | Foundry Virtual Tabletop

NEXT: Docker Install Nginx

Popular Articles

Hot Articles

Navigation Lists

Back to Top