2

I have two forests (example.local and accounting.local) that have 2-way trust established. On accounting, I can bind using accounting\bind. However, it fails from example.local

ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

I also have a child domain for example.local and I can bind using the credentials from the child on example.local. Tried various forms of naming, baseDN, global vs dc. Thanks much

Surendar Chandra
  • 21
  • 1
  • 2

1 Answers1

1

I tried it here and had the same result. According to the Microsoft documentation for ldap_simple_bind:

The ldap_simple_bind function is designed to bind to the local domain. The function cannot be used for cross forest authentication.

You will need to use a different (synchronous) bind method to cross forests. See the ldap_bind_s docs for more details.

fission
  • 3,506
  • 2
  • 20
  • 27
  • I am using UnboundId Java client from Linux which I believe is synchronous. I could not get this to work with adsi edit either. – Surendar Chandra Sep 10 '18 at 23:56
  • It's not enough for the call to be synchronous. I just mean that all of the other bind methods (besides simple) must be called synchronously. I tested this with `ldp.exe` and cross-domain logon works with other methods (eg _Bind with credentials_). – fission Sep 11 '18 at 20:55
  • For this scenario with UnboundID LDAP, you should use SASL. – fission Sep 11 '18 at 20:56