Support Questions
Find answers, ask questions, and share your expertise

How to get subdomain groups for LDAPGroupsMapping

Solved Go to solution

How to get subdomain groups for LDAPGroupsMapping

Guru

I ran into an AD configuration where users are in several subdomains (say NA.EXAMPLE.COM and SA.EXAMPLE.COM). However most of the groups to which a user belongs to that we care about are in one subdomain (NA.EXAMPLE.COM). I was able to get users from multiple subdomains using CompositeGroupsMapping and creating separate LDAPGroupsMapping for each subdomain. However, I am only getting groups belonging to the same subdomain to which that user belongs to. Has anyone run into similar AD issues and how did you get around these?

Overall LDAPGroupsMapping uses user input to get UserDN and then queries all the groups in the domain to see if there is a UserDN in 'member' field. We are able to get all the Groups directly from 'User' using 'memberOf'. So, worst case if nothing can be done using configuration, I was thinking of overriding doGetGroups in LDAPGroupsMaping with logic to get memberOf attributes.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to get subdomain groups for LDAPGroupsMapping

New Contributor

This will depend on how the forests are setup in AD, but generally you should be able to query the top level domain using the global catalog port (generally 3268 or 3269 instead of the traditional 389). Using the GC port will allow you to follow continuation referrals (referrals that send you from ldap://example.com to ldap://na.example.com)

In this case you should be able to use "ldap://EXAMPLE.COM:3268" with a base of "DC=EXAMPLE,DC=COM" which should allow you to return users and groups from all sub domains.

View solution in original post

1 REPLY 1

Re: How to get subdomain groups for LDAPGroupsMapping

New Contributor

This will depend on how the forests are setup in AD, but generally you should be able to query the top level domain using the global catalog port (generally 3268 or 3269 instead of the traditional 389). Using the GC port will allow you to follow continuation referrals (referrals that send you from ldap://example.com to ldap://na.example.com)

In this case you should be able to use "ldap://EXAMPLE.COM:3268" with a base of "DC=EXAMPLE,DC=COM" which should allow you to return users and groups from all sub domains.

View solution in original post