LDAP Java - Search for group membership across trusted domains

0
votes

There are two external forest trusted domains: DomainA and DomainB.

DomainA contains Global Groups GG-1 and GG-2, and Users are member of these groups:

  • U1 memberOf GG-1
  • U2 memberOf GG-2

DomainB contains Domain Local Group DLG-1 and groups GG-1 and GG-2 are members of this group.

Now when U1 is authenticated against DomainA we expected to get the membership of both GG-1 and DLG-1 but we are getting only GG-1.

Is there anyway we can identify the cross-domain group memberships of the user directly or indirectly using Java?

1
javaactive-directoryldap

1 Answers

1
votes

If you use Java, that means you are using LDAP to query Active Directory. What you want will not work using the default LDAP port.

However, if you query the Global Catalog on port 3268 using LDAP it is possible to retrieve cross-domain memberships.

EDIT: If this does not yield any results, either you need a Universal Group (not likely) or the GC needs to be set up properly.

EDIT2: Given that you do not have a GC, the only other option is to create a referral object in AD that points to the external domain. See http://support.microsoft.com/kb/241737 how to set this up.

You then have to configure your Java LDAP environment to follow referrals like this: env.put(Context.REFERRAL, "follow");.