EMC LDAP profile

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi all, 

I apologize in advance if I missed the answer.

We have two domains in the same forest, parent domain X.Y and child domain Z.X.Y. We would like to setup AD/LDAP authentication to EMC so that users from both domains can access to EMC portal. Is this possible?

We tried to do this but without success.

Tnx,
Vesna.
Photo of Vesna

Vesna

  • 136 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello,

I don't think this is possible. 

The problem is that users in the child domain don't exist in the parent domain. Extreme Access Control handles these types of split domain environments by being able to create multiple authentication rules that point to different domains with different LDAP URLs and Search Roots. To some extent (captive portal only) Extreme Access Control actually has the ability to look inside one forest and based on results of a search choose it or look into another. 

The login mechanism only provides you with the ability to look into 1 LDAP configuration, which results in 1 domain forest. 

The LDAP authentication login  process looks like this: 

  • Search request to determine if user exists
  • If user exists --> attempt LDAP bind using the username/password provided in the login
  • If authenticated --> obtain AD membership information for possible Authorization Group Matching.

If you were to use the global catalog instead of port 389 or 636 you may be able to get Extreme Management Center to determine the user exists, but I don't believe an LDAP bind to a forest that doesn't actually contain the user in active directory will result in success.

Can anyone confirm this? I don't have a multi-domain forest to test with.

Thanks
-Ryan  
Photo of Vesna

Vesna

  • 136 Points 100 badge 2x thumb
Hi Ryan, 

tnx for clarification.

We test it and it didn't work. If someone else can try it would be great.

BR,
Vesna.