My application defines approved customers via LDAP (usually Active Directory):

  1. The client defines an LDAP server (TreeA) along with a group (GroupA). Any customers in GroupA may use the applying.
  2. At login time, a person transmits their account information -- if your bind towards the LDAP TreeA using their qualifications works, As well as their user account is within a GroupA, they're all set

I have come upon a scenario where two Active Sites trust one another, and also the specified GroupA in TreeA consists of customers from TreeB. So step #2 fails because I am attempting to authenticate UserB (from TreeB) against TreeA.

The applying can access TreeA, and so i suppose it might try looking in GroupA and find out UserB there. But exactly how wouldn't it realize that it must send bind demands to TreeB to authenticate the account information?

It is possible to better method to approach this?
Should such bind demands to TreeA automagically get submitted to TreeB since there's a trust relationship??

Perhaps you should use ldap replication so that the objects will always be contained in both servers?

The applying can access TreeA, and so i suppose it might try looking in GroupA and find out UserB there. But exactly how wouldn't it realize that it must send bind demands to TreeB to authenticate the account information?

The member attribute in GroupA can give the entire distinguished title (dn) of every member, that might look something similar to:

member: CN=User1,OU=People,DC=TreeA,DC=foobar,DC=com
member: CN=User2,OU=People,DC=TreeB,DC=foobar,DC=com

So, when 'User2' tries to authenticate, you can match the CN and know that you ought to be authenticating against 'TreeB' rather than 'TreeA'. (Most probably you'd possess some type of table mapping the DN towards the AD server hostname.) Or, you simply brute-pressure it and check out 'TreeB' when you get a 'no such user' from 'TreeA'.

You should come to a decision how to deal with the situation of duplicate user names within the two trees - do you take priority within the other?

Another approach is always to require customers to specify which tree they are authenticating against, for instance by signing in having a login title like 'user1@treea.foobar.com'.

It may be you have just configuration problem around the LDAP server (TreeA). You authored that you will find trust between TreeA and TreeB, to ensure that you can include UserB (from TreeB) because the person in the GroupA in TreeA. If this can be done, than you've effectively establish rely upon the right direction between TreeA and TreeB. You need to understand, that trust mean that Active Directory B verify the consumer password only, but UserB per default may have no use of any assets in the Active Directory A. The UserB can doesn't have permission to create LDAP bind towards the server A. Within the situation the issue will solved by granting the UserB the remote login permission around the server A and also the read use of GroupA and most likely read permission towards the OU where GroupA exist. You can test Insight for Active Directory to watch AD use of localize the permission problems.

Other possible reason of the problem may be the use of API that you simply use to LDAP access. In your soul question you do not authored any details about the API. Would you use Win32 API like ldap_bind_s or use DirectoryEntry insInternet? In the two cases it may be essential that you either use clearly domain title along with the account title (for UserB) throughout the binding or use null for title and also the password to user current user credential.

Using fixed account from TreeA for those accesses to TreeA (moreover tests about UserB) may also solve the issue, but it may be possible only is a few type of application usage.

By any means more details inside your question could narrow the issue and also the methods to solve the issue.