LDAP search on multiple forest

Hi

I have two forests and each has a single domain (a.com and b.com).
Both are trusted.

a.com has a user a@a.com.
b.com has a user b@b.com

When I connect using LDP tool to the GC of a.com, I can bind and
authenticate as a@a.com.
I can also bind and authenticate as b@b.com.
But I could only get LDAP attributes only for a@a.com.

How can I get the LDAP attributes (say mail or proxyAddresses) for
b@b.com?
What should be the search query?

Thanks.

UNT,
Jag

Paul
Mon Jun 16 05:55:36 PDT 2008

It shouldn't matter which domain you are attaching to if you are supplying
and binding with the proper credentials.

Are you getting any errors on the b domain? You haven't provided enough
info to go on other than "It won't return attributes". Are there any errors
in the Event log on either the workstation or the dc you are binding
against?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jag" <jagathishp@gmail.com> wrote in message
news:d7537d02-606d-4448-a632-cd2d5f3ff74c@i18g2000prn.googlegroups.com...
> Hi
>
> I have two forests and each has a single domain (a.com and b.com).
> Both are trusted.
>
> a.com has a user a@a.com.
> b.com has a user b@b.com
>
> When I connect using LDP tool to the GC of a.com, I can bind and
> authenticate as a@a.com.
> I can also bind and authenticate as b@b.com.
> But I could only get LDAP attributes only for a@a.com.
>
> How can I get the LDAP attributes (say mail or proxyAddresses) for
> b@b.com?
> What should be the search query?
>
> Thanks.
>
> UNT,
> Jag

Jag
Mon Jun 16 06:51:28 PDT 2008

Hi Paul,

Here's what I do:

I run LDP tool.
Connect to the a.com AD with port 3268.
Bind with user b@b.com
It is successfully authenticated.

I run the following search:
userPrincipalName=a@a.com
I get 1 result.

Now I run the following search:
userPrincipalName=b@b.com
I get no result.

In other words, when I search for objects in the b.com AD, no results
are returned.
So, I was wondering if there a special syntax to search for objects in
b.com, by connecting to a.com.

Thanks,

UNT,
Jag

Jag
Mon Jun 16 07:21:31 PDT 2008

Also, I didnt find any errors in the Event Viewer.

UNT,
Jag

Joe
Mon Jun 16 11:55:10 PDT 2008

It is probably just a permissions problem. Do users from A have rights to
list objects and read attributes from objects in B?

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jag" <jagathishp@gmail.com> wrote in message
news:96c4299f-d2ae-4643-bf75-ddb31f9066e6@q27g2000prf.googlegroups.com...
> Hi Paul,
>
> Here's what I do:
>
> I run LDP tool.
> Connect to the a.com AD with port 3268.
> Bind with user b@b.com
> It is successfully authenticated.
>
> I run the following search:
> userPrincipalName=a@a.com
> I get 1 result.
>
> Now I run the following search:
> userPrincipalName=b@b.com
> I get no result.
>
> In other words, when I search for objects in the b.com AD, no results
> are returned.
> So, I was wondering if there a special syntax to search for objects in
> b.com, by connecting to a.com.
>
> Thanks,
>
> UNT,
> Jag

Jag
Mon Jun 16 20:17:11 PDT 2008

Hi,

> It is probably just a permissions problem. =A0Do users from A have rights =
to
> list objects and read attributes from objects in B?
>

In this case, I am binding with b@b.com and requesting for attributes
for the user b@b.com. So permissions should not be a problem. (Also,
from LDP tool, when I connect to b.com AD and port 3268, and with user
b@b.com, I am able to search for objects in b.com.)

When I give Base DN as dc=3Da, dc=3Dcom, I get search results.
When I give Base DN as dc=3Db, dc=3Dcom, I do not get any results.

Will the GC of a.com contain details of objects in b.com when both
share a forest trusted relationship?

Thanks.

UNT,
Jag

Joe
Mon Jun 16 21:48:10 PDT 2008

GC contains all the objects in the forest (from all domains in the forest),
but not in a different forest.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jag" <jagathishp@gmail.com> wrote in message
news:a0247233-5aa9-4a00-9b79-d3f085fcff8b@l28g2000prd.googlegroups.com...
Hi,

> It is probably just a permissions problem. Do users from A have rights to
> list objects and read attributes from objects in B?
>

In this case, I am binding with b@b.com and requesting for attributes
for the user b@b.com. So permissions should not be a problem. (Also,
from LDP tool, when I connect to b.com AD and port 3268, and with user
b@b.com, I am able to search for objects in b.com.)

When I give Base DN as dc=a, dc=com, I get search results.
When I give Base DN as dc=b, dc=com, I do not get any results.

Will the GC of a.com contain details of objects in b.com when both
share a forest trusted relationship?

Thanks.

UNT,
Jag

Jag
Tue Jun 17 05:03:41 PDT 2008

Hi

> GC contains all the objects in theforest(from all domains in theforest),
> but not in a differentforest.

Is there any configuration I can make in a.com AD so that it can
automatically query b.com AD, if a search is performed for b.com
objects?

Here's a summary of what I am trying to do.
I have a web application on a machine that is part of domain a.com. A
user logs in to the web application using IWA. Once the authentication
is successful, I get the logged in user's primary email address and
alternate email addresses from AD using ADSI query.
If a user from b.com tries to log in, the authentication is successful
(due to trust) but I could not fetch his email addresses.

Thanks.

UNT,
Jag

Paul
Tue Jun 17 05:41:48 PDT 2008

Good catch

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:uvLDaVD0IHA.4912@TK2MSFTNGP03.phx.gbl...
> GC contains all the objects in the forest (from all domains in the
> forest), but not in a different forest.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Jag" <jagathishp@gmail.com> wrote in message
> news:a0247233-5aa9-4a00-9b79-d3f085fcff8b@l28g2000prd.googlegroups.com...
> Hi,
>
>> It is probably just a permissions problem. Do users from A have rights to
>> list objects and read attributes from objects in B?
>>
>
> In this case, I am binding with b@b.com and requesting for attributes
> for the user b@b.com. So permissions should not be a problem. (Also,
> from LDP tool, when I connect to b.com AD and port 3268, and with user
> b@b.com, I am able to search for objects in b.com.)
>
> When I give Base DN as dc=a, dc=com, I get search results.
> When I give Base DN as dc=b, dc=com, I do not get any results.
>
> Will the GC of a.com contain details of objects in b.com when both
> share a forest trusted relationship?
>
> Thanks.
>
> UNT,
> Jag
>

Paul
Tue Jun 17 05:45:53 PDT 2008

Couldn't you try binding to b.com's forest GC if it doesn't exist in a.com's
forest and check to see if the user exists there? If you are unable to gain
access to any attributes in instances where they are able to authenticate
should be an indication that they are most likely in b.com.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jag" <jagathishp@gmail.com> wrote in message
news:3227fecb-a041-487e-8375-9d5d26ecdf03@w4g2000prd.googlegroups.com...
> Hi
>
>> GC contains all the objects in theforest(from all domains in theforest),
>> but not in a differentforest.
>
> Is there any configuration I can make in a.com AD so that it can
> automatically query b.com AD, if a search is performed for b.com
> objects?
>
> Here's a summary of what I am trying to do.
> I have a web application on a machine that is part of domain a.com. A
> user logs in to the web application using IWA. Once the authentication
> is successful, I get the logged in user's primary email address and
> alternate email addresses from AD using ADSI query.
> If a user from b.com tries to log in, the authentication is successful
> (due to trust) but I could not fetch his email addresses.
>
> Thanks.
>
> UNT,
> Jag
>

Jag
Tue Jun 17 06:31:10 PDT 2008

Hi,

> Couldn't you try binding to b.com's forestGC if it doesn't exist in a.com'=
s forest and check to see if the user exists there? =A0

Thanks for the suggestion.
If there is any API which, given a domain name, would give me the IP
Address/Machine name of the GC, I can then query to that GC.
I ll check out MSDN.

UNT,
Jag

Joe
Tue Jun 17 07:46:29 PDT 2008

DsGetDCName is probably what you want to use here if you are programming in
C/C++. It provides access to the DC locator system which gives you all
sorts of ways to find domain controllers of different types by domain name,
etc.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jag" <jagathishp@gmail.com> wrote in message
news:599ddfd1-1108-46da-b56f-1570aa0632ff@y22g2000prd.googlegroups.com...
Hi,

> Couldn't you try binding to b.com's forestGC if it doesn't exist in
> a.com's forest and check to see if the user exists there?

Thanks for the suggestion.
If there is any API which, given a domain name, would give me the IP
Address/Machine name of the GC, I can then query to that GC.
I ll check out MSDN.

UNT,
Jag