LDAP user authentication across trusted domains

authentication active-directory ldap dns trust
DougN picture DougN · Feb 19, 2011 · Viewed 32.8k times · Source

My application defines authorized users via LDAP (usually Active Directory):

  1. The customer defines an LDAP server (TreeA) and a group (GroupA). Any users in GroupA can use the application.
  2. At login time, a user sends their username and password -- if a bind to the LDAP TreeA with their credentials works, AND their user account is in a GroupA, they are good to go

I've come upon a situation where two Active Directories trust each other, and the specified GroupA in TreeA contains users from TreeB. So step #2 fails because I'm trying to authenticate UserB (from TreeB) against TreeA.

The application has access to TreeA, so I suppose it could look in GroupA and see UserB there. But how would it know that it needs to send bind requests to TreeB to authenticate the username and password?

Is there a better way to approach this?
Should such bind requests to TreeA automagically get forwarded to TreeB since there is a trust relationship??

Answer

Oleg picture Oleg · Feb 23, 2011

It can be that you have just configuration problem on the LDAP server (TreeA). You wrote that there are trust between TreeA and TreeB, so that you can add UserB (from TreeB) as the member of the GroupA in TreeA. If you can do this, than you have successfully establish trust in the correct direction between TreeA and TreeB. You should understand, that trust mean only that Active Directory B verify the user password only, but UserB per default will have no access to any resources from the Active Directory A. The UserB can has no permission to make LDAP bind to the server A. In the case the problem will solved by granting the UserB the remote login permission on the server A and the read access to GroupA and probably read permission to the OU where GroupA exist. You can try Insight for Active Directory to monitor AD access to localize the permission problems.

Other possible reason of your problem could be the usage of API which you use to LDAP access. In you question you don't wrote any information about the API. Do you use Win32 API like ldap_bind_s or use DirectoryEntry in .NET? In both cases it could be important that you either use explicitly domain name together with the account name (for UserB) during the binding or use null for both name and the password to user current user credential.

The usage of fixed account from TreeA for all accesses to TreeA (also for tests about UserB) could also solve the problem, but it could be possible only is some kind of application usage.

In any way more information in your question could narrow the problem and the ways to solve the problem.

Related questions

Authenticating in PHP using LDAP through Active Directory

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success? Edit: …

Read More
Authenticating against Active Directory with Java on Linux

I have a simple task of authenticating against Active Directory using Java. Just verifying credentials and nothing else. Let's say my domain is "fun.xyz.tld", OU path is unknown, and username/password is testu/testp. I know there's a …

Read More
Authenticating against active directory using python + ldap

How do I authenticate against AD using Python + LDAP. I'm currently using the python-ldap library and all it is producing is tears. I can't even bind to perform a simple query: import sys import ldap Server = "ldap://my-ldap-server" DN, Secret, …

Read More