[TYPO3-english] Help needed with LDAP/SSO cross domain authentication

Lieuwe Hummel l.hummel at youwe.nl
Tue Oct 28 14:41:27 CET 2014


Hi Paul,

If I'm not mistaken, you have trouble searching Active Directory across
domains. For a customer I implemented a custom AD-based SSO extension
which had to authenticate against multiple forests as well. Their AD
specialists advised me to set-up several connections, one for each
domain. Furthermore, they adviced me that cross-domain searches should
be done using the GC server on port 3268.
This has worked for me without any problems. But again: this was
custom-made.

HTH

Regards,
Lieuwe

On 27-10-14 13:37, Paul Dussault wrote:
> Hi,
> 
> I was wondering if the LDAP/SSO extension allows for authentication
> across trusted domains, and if so, how it can be done?
> 
> I have two fully trusted Active Directory domains, belonging to the same
> forest (one domain (B) is in the subtree of the other (A)), and I can
> successfully connect to each of them with LDAP/SSO. But I can't find a
> way to authenticate users across both of those domains.
> 
> What I need to do is authenticate front end users who are located in
> domain A, and filter them through a universal group located in domain B.
> 
> I've been able to do so using other tools, and a regular LDAP query
> (namely by connecting to the main domain (A), and setting the SCOPE of
> my LDAP query to "2:wholesubtree", so that it would comprise domain B).
> But I can't seem to find a way to make the LDAP/SSO extension look
> beyond the base domain, down in the subtree....
> 
> Here are some details:
> 
> As I said, users are located in the A.DOMAIN.COM, and the universal
> group (USERGROUP) containing them is in another domain, B.DOMAIN.COM.
> I have set the LDAP config like so:
> 
> Server: Active Directory / Novell eDirectory
> Charset: utf-8
> Protocol: 3
> Host: ldap://ldapserver.A.DOMAIN.COM
> Port: 389
> TLS: 0
> Bind DN: bindingaccountt (at) B.DOMAIN.COM
> Password: ********
> 
> The connection is successful.
> 
> I had previously connected to B.DOMAIN.COM and successfully imported in
> Typo3 the group I need. But no matter what I try, all login attempts
> using this group are denied.
> 
> Now how should I configure the FE_USERS tab in order to allow only the
> members of B.DOMAIN/USERGROUP? The FE Users tab is set like this:
> 
> Base DN: dc=A,dc=DOMAIN,dc=COM
> Filter: (sAMAccountName={USERNAME})
> 
> Mapping: usergroup = <memberOf>
> 
> Required LDAP groups: USERGROUP
> 
> I run the latest version of the LDAP/SSO extension, Typo3 4.5.27 and
> Active Directory (2003 level).
> 
> 
> Thanks in advance for any pointers!
> 
> Paul Dussault
> 



More information about the TYPO3-english mailing list