Cross domain queries (same Active Directory, different "forest")

Hi,

So, we have different domains in our organization, like:

1. ldap://domain1.company.com
2. ldap://domain2.company.com In Active Directory these are defined as different “forests” (I’m not an AD expert, just writing what our expert told me to…).

Regardless of which domain I’m in, logging in to services normally works.

But when querying using ldapsearch, I run into an odd problem:

• When I connect to ldap server domain1 with a user from that same domain (“domain1user”), I can query all details from groups in that same domain (domain1), but for groups that are in the other domain (domain2), I don’t get member details.
• This ldapsearch connection works fine both using the -H -D switches and the -Y DIGEST-MD5 -U switches
• But when I try to connect with the same user (domain1user) on domain2 the odd stuff occurs: – I can connect and search using the -H -D switches and then all works fine, but that doesn’t work for ldap2pg – When I connect and search using the -Y DIGEST-MD5 -U switches, like ldap2pg does, get this error: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 8009030C: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 52e, v4563

Interesting enough, the same issue occurs the other way around. So, when using a user on domain2 (“domain2user”), all works fine on domain2, but I get the same error when trying to connect to domain1. In this case, I can query all details for domain2 groups, but don’t get members from domain1 groups.

As we need to synchronize members from both domains, how do I get around this? Do I really need to create as many AD users as I have domains? Or do you have a different solution?

Note: We’re not bound to -Y DIGEST-MD5, -H -D would be fine as well, but I don’t know how to configure that in ldap2pg (separate ticket, not being replied on…)

Thanks in advance!