none
LDAP Authentication to an Active Directory Trust RRS feed

  • Question

  • I'm having an issue with an application using LDAP authenticating a user through an AD Trust.

    I have userA in domainA and userB in domainB. There is a two-way trust between domains thats validated and works. And I can add userB to Groups in domainA which creates a ForeignSecurityPrincipal for that user (S-1-5-21-...). Also userA can launch a jboss application tied to ldapA which is authenticated through domainA, userA gets validated properly with roles.

    However, when userB launches the app tied to ldapA which authenticates through domainA which has the trust to domainB, userB is not seen.

    How does LDAP query/see userB in domainB through the trust, ie see the samAccountName in the foreignSecurityPrincipal?

    Note that userA and userB need to be authenticated against the groups in domainA. Also note that userB is part of "ABC Users", not "Users" on domainB.

    JBOSS login module setting are shown below.

                                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
                                <module-option name="bindDN" value="ldapadmin@domainA.us" />
                                <module-option name="bindCredential" value="Password#1" />
                                <module-option name="baseCtxDN" value="DC=domainA,DC=us" />
                                <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                                <module-option name="rolesCtxDN" value="CN=Users,DC=domainA,DC=us" />
                                <module-option name="roleAttributeID" value="memberOf" />
                                <module-option name="roleFilter" value="(cn={0})" />
                                <module-option name="roleNameAttributeID" value="cn" />
                                <module-option name="roleAttributeIsDN" value="true" />
                                <module-option name="roleRecursion" value="2" />
                                <module-option name="matchOnUserDN" value="false" />
                                <module-option name="uidAttributeID" value="samAccountName" />
                                <module-option name="Context.REFERRAL" value="follow" />
                                <module-option name="throwValidateError" value="true" />
                                <module-option name="searchTimeLimit" value="15000" />
                                <module-option name="searchScope" value="ONELEVEL_SCOPE" />
                                <module-option name="allowEmptyPasswords" value="false" />
                                <module-option name="criticalControls" value="false" />
                                <module-option name="debug" value="true" />


    • Edited by twiggster Tuesday, September 5, 2017 8:45 PM
    • Moved by Just KarlModerator Wednesday, September 6, 2017 2:07 PM Looking for the correct forum
    Tuesday, September 5, 2017 8:43 PM

Answers

All replies