cancel
Showing results for 
Search instead for 
Did you mean: 

EMC LDAP profile

EMC LDAP profile

Vesna
New Contributor II
Hi all,

I apologize in advance if I missed the answer.

We have two domains in the same forest, parent domain X.Y and child domain Z.X.Y. We would like to setup AD/LDAP authentication to EMC so that users from both domains can access to EMC portal. Is this possible?

We tried to do this but without success.

Tnx,
Vesna.
2 REPLIES 2

Vesna
New Contributor II
Hi Ryan,

tnx for clarification.

We test it and it didn't work. If someone else can try it would be great.

BR,
Vesna.

Ryan_Yacobucci
Extreme Employee
Hello,

I don't think this is possible.

The problem is that users in the child domain don't exist in the parent domain. Extreme Access Control handles these types of split domain environments by being able to create multiple authentication rules that point to different domains with different LDAP URLs and Search Roots. To some extent (captive portal only) Extreme Access Control actually has the ability to look inside one forest and based on results of a search choose it or look into another.

The login mechanism only provides you with the ability to look into 1 LDAP configuration, which results in 1 domain forest.

The LDAP authentication login process looks like this:

  • Search request to determine if user exists
  • If user exists --> attempt LDAP bind using the username/password provided in the login
  • If authenticated --> obtain AD membership information for possible Authorization Group Matching.
If you were to use the global catalog instead of port 389 or 636 you may be able to get Extreme Management Center to determine the user exists, but I don't believe an LDAP bind to a forest that doesn't actually contain the user in active directory will result in success.

Can anyone confirm this? I don't have a multi-domain forest to test with.

Thanks
-Ryan

GTM-P2G8KFN