issues with ldap query for users from a trusted domain

0
votes

I have some issues with a ldap query for users from a trusted domain:

I have two completely independent domains: 

DomainA (dc=mycity, dc=mycompany, dc=local)

and 

DomainB (dc=test, dc=somewhat, dc=local).

DomainB trusts DomainA (one way). Both domains were setup and are controlled by customers.

DomainA has a global group „fs“ and some users (for example user1 and user2, both members of DomainA) are member of this group.

DomainB has a local group „companyusers“ and fs is added as a member. This local group is a member of another group (for exaple „admins“ or „servicedesk“).

Now when I query DomainB and filter is set with (sMAAccountname = user1) I don't get any results. Also when I query all members with 

(memberof=CN=companyusers,CN=users,dc=test,dc=somewhat,dc=local)

or 

(memberof:1.2.840.113556.1.4.1941:=CN=companyusers,CN=users,dc=test,dc=somewhat,de=local)

I still can't see the users which are part of DomainA.

["CN=companyusers,CN=users,dc=test,dc=somewhat,de=local"

is the path when I do the query with 

(&(objectClass=group)(name=companyusers))]
1
ldapldap-query

1 Answers

0
votes

The concept to be able to perform a LDAP Query across AD Domains is complex and has several dependencies.

To perform a LDAP Query across domains MUST be in the same AD Forrest and you would need to connect to the Global Catalog.

You can locate the Distinguished names of Domain Controllers which host the Global Catalog using the following LDAP Query:

(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))

Even then LDAP Query will only work group members unless all Group Types are Universal Groups.

Finally, 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) filters ONLY work against Distinguished name based attributes.