My application defines authorized users via LDAP (usually Active Directory):
I've come upon a situation where two Active Directories trust each other, and the specified GroupA in TreeA contains users from TreeB. So step #2 fails because I'm trying to authenticate UserB (from TreeB) against TreeA.
The application has access to TreeA, so I suppose it could look in GroupA and see UserB there. But how would it know that it needs to send bind requests to TreeB to authenticate the username and password?
Is there a better way to approach this?
Should such bind requests to TreeA automagically get forwarded to TreeB since there is a trust relationship??
Navigate to the Manage | User | Settings page. Click on Configure LDAP after selecting LDAP + Local Users under Authentication method for login. In the Name or IP address field enter the FQDN or IP address of the LDAP server (Domain A - in this example hal-2010. local) against which you wish to authenticate.
In LDAP, authentication is supplied in the "bind" operation. LDAP v3 supports three types of authentication: anonymous, simple and SASL authentication.
In order to authenticate a user with an LDAP directory you first need to obtain their DN as well as their password. With a login form, people typically enter a simple identifier such as their username or email address. You don't expect them to memorise the DN of their directory entry.
LDAP authentication involves verifying provided usernames and passwords by connecting with a directory service that uses the LDAP protocol. Some directory-servers that use LDAP in this manner are OpenLDAP, MS Active Directory, and OpenDJ.
It can be that you have just configuration problem on the LDAP server (TreeA). You wrote that there are trust between TreeA and TreeB, so that you can add UserB (from TreeB) as the member of the GroupA in TreeA. If you can do this, than you have successfully establish trust in the correct direction between TreeA and TreeB. You should understand, that trust mean only that Active Directory B verify the user password only, but UserB per default will have no access to any resources from the Active Directory A. The UserB can has no permission to make LDAP bind to the server A. In the case the problem will solved by granting the UserB the remote login permission on the server A and the read access to GroupA and probably read permission to the OU where GroupA exist. You can try Insight for Active Directory to monitor AD access to localize the permission problems.
Other possible reason of your problem could be the usage of API which you use to LDAP access. In you question you don't wrote any information about the API. Do you use Win32 API like ldap_bind_s or use DirectoryEntry in .NET? In both cases it could be important that you either use explicitly domain name together with the account name (for UserB) during the binding or use null
for both name and the password to user current user credential.
The usage of fixed account from TreeA for all accesses to TreeA (also for tests about UserB) could also solve the problem, but it could be possible only is some kind of application usage.
In any way more information in your question could narrow the problem and the ways to solve the problem.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With