LDAP user authentication across trusted domains

DougN picture DougN · Feb 19, 2011 · Viewed 32.8k times · Source

My application defines authorized users via LDAP (usually Active Directory):

  1. The customer defines an LDAP server (TreeA) and a group (GroupA). Any users in GroupA can use the application.
  2. At login time, a user sends their username and password -- if a bind to the LDAP TreeA with their credentials works, AND their user account is in a GroupA, they are good to go

I've come upon a situation where two Active Directories trust each other, and the specified GroupA in TreeA contains users from TreeB. So step #2 fails because I'm trying to authenticate UserB (from TreeB) against TreeA.

The application has access to TreeA, so I suppose it could look in GroupA and see UserB there. But how would it know that it needs to send bind requests to TreeB to authenticate the username and password?

Is there a better way to approach this?
Should such bind requests to TreeA automagically get forwarded to TreeB since there is a trust relationship??

Answer

Oleg picture Oleg · Feb 23, 2011

It can be that you have just configuration problem on the LDAP server (TreeA). You wrote that there are trust between TreeA and TreeB, so that you can add UserB (from TreeB) as the member of the GroupA in TreeA. If you can do this, than you have successfully establish trust in the correct direction between TreeA and TreeB. You should understand, that trust mean only that Active Directory B verify the user password only, but UserB per default will have no access to any resources from the Active Directory A. The UserB can has no permission to make LDAP bind to the server A. In the case the problem will solved by granting the UserB the remote login permission on the server A and the read access to GroupA and probably read permission to the OU where GroupA exist. You can try Insight for Active Directory to monitor AD access to localize the permission problems.

Other possible reason of your problem could be the usage of API which you use to LDAP access. In you question you don't wrote any information about the API. Do you use Win32 API like ldap_bind_s or use DirectoryEntry in .NET? In both cases it could be important that you either use explicitly domain name together with the account name (for UserB) during the binding or use null for both name and the password to user current user credential.

The usage of fixed account from TreeA for all accesses to TreeA (also for tests about UserB) could also solve the problem, but it could be possible only is some kind of application usage.

In any way more information in your question could narrow the problem and the ways to solve the problem.