Hello,
I don't think this is possible.
The problem is that users in the child domain don't exist in the parent domain. Extreme Access Control handles these types of split domain environments by being able to create multiple authentication rules that point to different domains with different LDAP URLs and Search Roots. To some extent (captive portal only) Extreme Access Control actually has the ability to look inside one forest and based on results of a search choose it or look into another.
The login mechanism only provides you with the ability to look into 1 LDAP configuration, which results in 1 domain forest.
The LDAP authentication login process looks like this:
- Search request to determine if user exists
- If user exists --> attempt LDAP bind using the username/password provided in the login
- If authenticated --> obtain AD membership information for possible Authorization Group Matching.
If you were to use the global catalog instead of port 389 or 636 you may be able to get Extreme Management Center to determine the user exists, but I don't believe an LDAP bind to a forest that doesn't actually contain the user in active directory will result in success.
Can anyone confirm this? I don't have a multi-domain forest to test with.
Thanks
-Ryan
