Forum Discussion
GerarCR_176810
Nimbostratus
NimbostratusAD query for a user from a trusted domain (forest trust)
Hi!
Been trying to solve this for a while, but can´t find how to do this... I have seen similar questions on the forum without response, maybe this time is the one!
I have two domains, domain A and domain B. Domain A is configured to trust Domain B. Also, users from domain B belongs to some AD groups on domain A.
I have setup an access policy, where users from domain A authenticate against domain A, and users from domain B authenticates agains domain B (two different AAA servers). This is working fine.
My question is: How can I check the group membership of domain A groups for a user from domain B?
I need to make a query to domain A asking the "memberOf" attr for a trusted user which is originally from domain B. If I try to do this, que AD Query does not found the user, as the CN, sAMAccountName, SID, and GUID for the domaing B user are not the same in domain A.
Any ideas on how to achieve this?
Regards,
Gerar
Nicolas_DestorCirrostratus
By default the AD query item is configured with the default filter search "sAMAccountName=%{session.logon.last.username}".
If the username variable used to authenticate on domainB directory can't be use for the AD query in the domainA directory (because the username is set with value "domainB/username" for example), then the solution is:
-
Create a Variable Assign item before the AD query to set a new variable (eg session.custom.username) with some TCL code to parse the origin username.
-
Update the search filter in the AD query item to use this new variable ("sAMAccountName=%{session.custom.username} for example".
Hope that help.
-
JoeTheFifthAltostratus
looking for the same thing