Hi,
A user is trying to have DataMiner in one domain and have the LDAP query another domain for user authentication.
I found that in order to achieve this, it was necessary to add a trust between the domain where DataMiner is and the domain of the users to be added, the reason being that when DataMiner validates the users, it checks for identity (which requires a trust) and not username/password.
Is this information accurate?
Are there any more details that need to be taken into account when installing the trust?
Is there any additional configuration that needs to be done on the DataMiner side?
Thank you for the help.
Hi Joao,
It's correct that when your dataminer server is part of a domain, but you wish to authenticate users which are part of a different domain, a trust needs to be established between the two different domain controllers.
Next to this, you'll need to define the IP/hostname of the domain controller in the System settings > LDAP section of the system center module, informing dataminer to retrieve user information from this remote LDAP server.
Please find a detailed description in the LDAP help section (link).
Hi,
the above described configuration works well for single users from a remote domain. Even when users from two domains are added to the DMS this works via domain trust authentication.
If we now look on a next level, where groups are being created in the local domain (domain A) that include users from the local (domain A) and remote domain (domain B) DataMiner can import the local groups, but only sees the local users. All users from the remote domain (domain B) are not shown in the "users" tab for groups in DataMiner. The reason behind this may be, that the the users from domain B are only added as links in the group in domain A.
Domain A and domain B have a (unidirectional) domain trust to allow users from domain B to be authenticated via domain A.
We started to edit the filter in the LDAP settings to allow DM to also access the users from domain B via a group in domain A. An important question here is:
When the default settings are loaded on the LDAP page and only user and group filters are modified, is this then also used by DM or is a LDAP server configuration needed?
I was not able to see any changes in the DataMiner.XML on the active DMA after I modified the user and group filters. I noted an error in the SLError.txt and had to replace the ampersand "&" with "∧" due to the UTF-8 format ofthe DataMiner.xml. Only then the DataMiner.xml was updated based on the changes I did in Cube.
I tried also to stop the DMA, manually edit the LDAP section in the DataMiner.XML and started the DMA again to allow it to load the LDAP settings from the XML. I used the following amended filters:
<Group>
<Filter>(|(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))(objectClass=foreignSecurityPrincipal))</Filter>
<User>
<Filter>(|(&(objectCategory=person)(objectClass=user)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(objectClass=foreignSecurityPrincipal))</Filter>
I could not observe any difference yet, when I tried to import a group, that includes users from domain B. They are still not shown in the DM UI and users from this domain cannot login (Error " User not known to DataMiner").
We also used the referralConfigured="False" to force DM to connect to the domain B. As a consequence users from domain A were logged of and could not login anymore until referralConfigured="True" was set again.
Is there someone, who had this special constellation before and coudl help with a hint how to access users from domain B?
That would help a lot.
Best regards
Dear Dojo community,
we have a setup of two domains with individual forests. There is a trust relationship between the two forests. We are able to connect DataMiner to both domains individually and import users and groups as required. The target is to use only a connection to domain B and be able to import and authenticate users and groups from domain A.
In domain B there are nested groups configured, that include groups and users from both forests.
When we import a nested group from domain B, that includes users from domain B only we see all of them in the users in DataMiner.
When we import a nested group from domain B, that includes users from domain B and users from domain A we see only the users of domain B in the users in DataMiner. Users from domain A are not resolved and thus cannot login to the DMS.
On the DMA on Windows Server level both groups and the users included are available and can be used for logon and permission management. Here we also see, that domain B users are of type “User” and domain A users are of type “ForeignSecurityPrincipal” with a UID (-> referrals to domain A). DataMiner seem to behave differently. Does DataMiner recognize “ForeignSecurityPrincipals” as users and resolve them via referrals by default?
We already played around with the “referral=true/false” and different LDAP queries, that include foreign security principals as well, and tested the configuration as per the last comment in this thread, but did never reach state, where users from domain A became available through domain B.
Can you help with this or at least clarify if such a target shoudl be possible to reach with DM?
Noted, thank you Ive.