etfknovl
Frequent Visitor.
480 views

Trusts

I have been struggling with trusted domains and foreign security principals in the AD driver and I am just trying to find out if anyone has ever got this working? The most promising thread I found from a couple of years ago (https://forums.novell.com/showthread.php/499380-trusts) suggests that since the users from the trusted domain (A) can be added to the groups in the trusting domain (B) using LDIF, it ought to be trivial to do the same in the driver, but for the life of me I cannot get this to work.

This ldif format works:

dn: CN=ektest,ou=groups,dc=domainb
changetype: modify
add: member
member:: PFNJRD1TLTEtNS0yMS0yOTQ3NjgyOTY5LTgxODI3NDY1LTI4OTE4OTMzNC03MzU3MT4=

where that is the base64 encoding of
<SID=S-1-5-21-2947682969-81827465-289189334-73571>
Which is the SID of the user in domain A

When I send that <SID= ...> string out to my AD I see an XML document in the Remote Loader trace with a modify group element and a member add value element with the correct value
<SID=S-1-5-21-2947682969-81827465-289189334-73571>

And then I then see the ADDriver report:
ADDriver: parse modify class - Group
ADDriver: modify-attr
ADDriver: add-value
ADDriver: <SID=S-1-5-21-2947682969-81827465-289189334-73571>
ADDriver: ldap_modify Group CN=ektest,ou=groups,dc=domainb

The trace then shows a success, but nothing gets added to the group.
(this is all in an isolated lab so unfortunately hard to grab the actual trace files - but I will try to get them)

I have also tried sending the bas64 encoded version of the string and I have tried defining the destination attribute as dn, octet and string - all with the same result (success reported but no success).

Any pointers would be appreciated.
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Trusts

I'm not sure if this is the right case for "classic" AD driver.
Maybe Multi-Domain AD driver can handle it better.

From the troubleshooting perspective, you can try to do it thru LDAP (for example with Apache LDAP Studio).
If you will have success with "native" LDAP manipulation - you will be able to repeat similar steps with AD driver.
0 Likes
etfknovl
Frequent Visitor.

Re: Trusts

al_b;2495036 wrote:
I'm not sure if this is the right case for "classic" AD driver.
Maybe Multi-Domain AD driver can handle it better.

Thanks. The domains are not in the same forest so I am not sure the MDAD driver will add anything. I searched the doco for that driver and can find no reference to Foreign Security Principals.

al_b;2495036 wrote:
From the troubleshooting perspective, you can try to do it thru LDAP (for example with Apache LDAP Studio).
If you will have success with "native" LDAP manipulation - you will be able to repeat similar steps with AD driver.


I can run ldp on the server and modify the group member attribute to be the <SID=S-1-...> value and it creates the FSP and adds it to the group exactly as expected. It just appears to be sending the modify through the driver that fails.

If we find an answer I will update this, but we do have a plan B which involves some nasty scheduled PowerShell scripts and I have a horrible feeling we will end up having to go down that path.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Trusts

It looks like your plan B, will be the only option for this specific case.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.