1. Home
  2. Server
  3. How bind ldap to foreign trusted domain account for application authentification

How bind ldap to foreign trusted domain account for application authentification

Rsdaa 16/12/2021 135

Hello community

I'm using LDAP authentication (A.D) on my application (like redmine, pfsense, or ESXi).

I recently successfully made a trust relationship 2 way between my domain PARIS.france and a foreign domain BERLIN.germany. The domain trust relationship look's OK, DNS too, I can browse each domain.

I did create a local group "application-access" in my A.D PARIS.france, containing user PARIS\Pierre and BERLIN\Otto

But when i try to login from the web application, only Pierre seems to work. Otto can't authenticate.

When i look further, i see in my group that Pierre have a SamAccountName, but Otto it a special kind of object ( this object is just a placeholder for a user or group from a trusted external domain ) and dont have a such attribute.. i guess that why it does not work ?

I never work before with trusted domain, it's a lab i'm doing for understand how it work. I'm trying make BERLIN user's can authenticate in my application trought the classic ldap bind. Of course i could change the binding for bind on the BERLIN active directory.. but that not the way it supposed to work right? I'm stuck since some week now trying to make a very basic thing.

Thank for reading and your guidance.


Edited Apr 23, 2021 at 19:37 UTC

Popular Topics in Windows Server

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

2 Replies

LDAP is different to AD. the AD trust can be used by native AD authentication scenarios but not LDAP. AD's LDAP interface still uses the LDAP standard so when it lists the users of the new group it will return thier full distinguished name (dn) example:

member: CN=User1,OU=Users,DC=PARIS,DC=francemember: CN=User2,OU=Users,DC=BERLIN,DC=germany

France can still authenticate Germany users, but you need to use the correct ldap syntax or base dn. Typically you can define more than one base dn - so if you add both then it will match. or use fuzzy logic to only match CN from the group.

hum, Ok so if i understand well,

the creation of the AD trust relationship between PARIS.france and BERLIN.germany, make a sort of proxyldap that allow me to query the DC=BERLIN,DC=germany schema from my PARIS.france AD server . Am i right ?

Actually i'm trying to query the DC=BERLIN,DC=germany schema but doesnt seem to work. I did try the following ldapsearch with both a standard user account binding and also domain admin account in in PARIS.france schema.

ldapsearch -H ldap:// -b "dc=BERLIN,dc=germany" -x -W -D "bind@paris.france"Enter LDAP Password:# extended LDIF## LDAPv3# basewith scope subtree# filter: (objectclass=*)# requesting: ALL## search resultsearch: 2result: 10 Referraltext: 0000202B: RefErr: DSID-031007F9, data 0, 1 access points ref 1: 'berlin.germany'ref: ldap://berlin.germany/BERLIN,dc=germany# numResponses: 1

Edited Apr 29, 2021 at 21:54 UTC

PREV: Nginx Proxy Server | Foundry Virtual Tabletop

NEXT: Docker Install Nginx

Popular Articles

Hot Articles
  • So Elite Dangerous has been around the block a few times, and in recent years have started their own little naming scheme for game errors. Similar to Rare’s take on Sea of Thieves, Elite now uses a co...

  • The series so far:Reporting Services Basics: Overview and InstallationReporting Services Basics: Creating Your First ReportReporting Services Basics: Data Sources and DatasetsReporting Services Basics...

  • Connect to a Report Server in Management Studio05/07/20195 minutes to readIn this articleSQL Server Management Studio provides Object Explorer, which allows you to connect to any server in the SQL Ser...

  • VNC Server is not currently listening for cloud connectionsRealVNC services cannot establish a connection between your device and the remote computer.See Why is VNC Server not currently listening for...

  • The Barracuda Agent is a light weight agent that performs source deduplication, and securely transfers changes over port 5120. Use the following steps to resolve the "Failed to connect to backup agent...

Navigation Lists

Back to Top