LDAP proxy use case - is this possible ?

Hello,

we have used the LDAP proxy a few years ago for a short time and now have a use case which is a little bit complex and I would like to know if this would be possible.

We have two Active Directories that are trusted against each other, but not in the same forrest.

When I create a security group in one of them and add members from the other AD as well(first member is form the other AD, second member is from the local AD), the group looks like this (from LDAP perspective):

dn: CN=group1,OU=Test,OU=Services,OU=Administration,DC=myad1,DC=at
member: CN=S-1-1-11-1111111142-1482476501-839522115-561823,CN=ForeignSecurityPrincipals,DC=myad1,DC=at
member: CN=user1,OU=User,DC=myad1,DC=at

As LDAP does not understand trusts, I have no way to get the cn of the member of the other AD. It is only listed as a Foreign Security Principal.

Now when it comes to LDAP proxy, can I modify the search result that gets sent back to the client that it delivers the cn off the second AD ?

So I think the search must be executed, the result must be interpreted and if there are some foreign security principals, it must query the second AD for the cn of that security principle. The security principle contains as the first part the AD domain sid and the second part the user sid. So I would need to use a substring of that to query the other AD for the user with the specific SID. And together with the local results I want to send back the whole group membership result to the clients initial search request.

 

Would LDAP proxy be able to do this ?

Rainer