[TYPO3-english] Help needed with LDAP/SSO cross domain authentication

[Paul Dussault]

Hi,

I was wondering if the LDAP/SSO extension allows for authentication across trusted domains, and if so, how it can be done?

I have two fully trusted Active Directory domains, belonging to the same forest (one domain (B) is in the subtree of the other (A)), and I can successfully connect to each of them with LDAP/SSO. But I can't find a way to authenticate users across both of those domains.

What I need to do is authenticate front end users who are located in domain A, and filter them through a universal group located in domain B.

I've been able to do so using other tools, and a regular LDAP query (namely by connecting to the main domain (A), and setting the SCOPE of my LDAP query to "2:wholesubtree", so that it would comprise domain B). But I can't seem to find a way to make the LDAP/SSO extension look beyond the base domain, down in the subtree....

Here are some details:

As I said, users are located in the A.DOMAIN.COM, and the universal group (USERGROUP) containing them is in another domain, B.DOMAIN.COM. 

I have set the LDAP config like so:

Server: Active Directory / Novell eDirectory
Charset: utf-8
Protocol: 3
Host: ldap://ldapserver.A.DOMAIN.COM
Port: 389
TLS: 0
Bind DN: bindingaccountt (at) B.DOMAIN.COM
Password: ********

The connection is successful.

I had previously connected to B.DOMAIN.COM and successfully imported in Typo3 the group I need. But no matter what I try, all login attempts using this group are denied.

Now how should I configure the FE_USERS tab in order to allow only the members of B.DOMAIN/USERGROUP? The FE Users tab is set like this:

Base DN: dc=A,dc=DOMAIN,dc=COM
Filter: (sAMAccountName={USERNAME})

Mapping: usergroup = <memberOf>

Required LDAP groups: USERGROUP

I run the latest version of the LDAP/SSO extension, Typo3 4.5.27 and Active Directory (2003 level).
 

Thanks in advance for any pointers!

Paul Dussault