LDAP auth for multiple domains in Active Directory?

Hi,

I have just successfully installed and configured Openfire in a Microsoft Active Directory environment, authenticating users via LDAP against one single domain (“my” domain),

dc=first,dc=entry,dc=example,dc=com

I can authenticate myself just fine, being a member of that domain.

Alas, there are users around who are part of an other domain

dc=second,dc=entry,dc=example,dc=com

where “entry.example.com” is the common root for both the second and first entry. I would like to enable authentication for both domains (a whole forest of domains, actually), i.e.

me@first.entry.example.com

someone@second.entry.example.com

but do not know how to accomplish this.

In Bugzilla I tweaked the Perl LDAP lookup code such that the standard Active Directory logins

first\me

second\someone

would work, translating the “first” and “scond” to a dn= entry on querying. My local LDAP server would then send me an LDAP_REFERRAL response to the other domain LDAP server, which I then could query to get authentication.

How would one do this for Openfire? The challenge is to enable LDAP for a forest of domains (hosted on Active Directory).

Many thanks

Stefan

Is it possible to use a common baseDN for the forest? Im not real sure how AD handles that, so its just a guess. Another thought is to use the alternateBaseDN for the second domain. This gets you two, anyways. Both of my ideas require that a single ldap server can respond to the queries. I dont know what will happen if referrals are used.

If those two domains are children of a forest, all you need to do is use port 3268 (instead of the standard LDAP port) against your top level doman controllers. You will have problems if you have duplicate usernames between your child domains, but if you do not this works well.

Your base DN will be the top level domain. In you example, the base DN might be dc=entry,dc=example,dc=com if entry.example.com is the top level domain.

Hope this helps…

-Andy

Perfect

I just need to find out now whether we have duplicate samAccountNames within the child domains; for now, and for my experimenting, the current setup works beautifully.

Good to know that Global Search is supported:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc _nar_bsad.mspx?mfr=true

Many thanks!

Stefan