LOL. You should have sent this before I started typing.
;o)
Why wasn't it in your first answer, you always take that
one right out in the first paragraph and when I read your response I was like
hey who the heck are you?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, September 22, 2006 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP
I won't put words in his mouth either, but I'll certainly say the same
thing. I had to hold back a shudder when I responded earlier 'cause ldap
and authentication might be ok in the same paragraph, but never in the same
sentence (except to point out that it should not be in the same sentence :)
Would it work if you used the parent domain in a contiguous namespace
design? Depends on how they wrote the code. If it won't follow referrals
then likely it will fail.
Try the GC (that is so lame a workaround, but it'll likely work) as
Joe suggests and at the same push back on the vendor to get it right or give you
your money back else give you a more solid workaround (ADAM?)
There. Nothing for joe to tell them about fixing their lame app.
-ajm
On 9/22/06, Joe
Kaplan <[EMAIL PROTECTED]>
wrote:
You might have them try to work with the GC. You should be able to
authenticate and find users from any domain via the GC.
I think Joe Richards might also suggest that the vendor learn what they are
doing and either integrate with AD the right way or don't claim they can.
I'll bet they need to talk to a specific domain controller too. I won't put
words in Joe's mouth though. :)
Joe
----- Original Message -----
From: Ramon Linan
To: ActiveDir@mail.activedir.org
Sent: Friday, September 22, 2006 3:41 PM
Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP
The application designer is telling me it can only be configured for one
source of authentication, so if the use the domain level authentication will
that allow to authenticate users in the subdomain?
I.e.
domain.com
child.domain.com
If I point the application to use domain.com as authentication source will
that also authenticate users from the child domain?
Thanks
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Friday, September 22, 2006 4:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP
sub-domain query base: dc=subdomain,dc=domain,dc=com
domain query base: dc=domain,dc=com
When the search is initiated, it will start looking at the query base and,
if so configured, everything below it (subtree search).
In your case, that won't likely happen depending on how you configured it.
If you instead change your query base to dc=domain,dc=com (assuming you have
a contiguous namespace) then you may get different results.
Testing. You can use ldp, adfind, or any other ldap client if your app
doesn't have that functionality built in.
Since you're security conscious, be mindful of the cert and the ports you're
using during your testing :)
Permissions? That depends on your configuration and your versions. Windows
2000 is pretty much open for searches while 2003 requires authenticated
users by default.
Al
On 9/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote:
Hi,
I have an application that uses LDAP to authenticate (authenticates
against AD).
In my AD I have a domain and subdomain or child domain.
I assume that both domain and subdomain uses the same LDAP, right?
Also, if the application is using a user from the subdomain to query the
LDAP, what kind of access will that user have to have to authenticate
users at the main domain level.
Basically, the application is authenticating fine the users from the
subdomain but cant fine the users from the main domain...
Thanks for any advice.
Rezuma
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
