Php – Authenticating AD via LDAP with a TRUST via PHP

active-directoryldapphptrust

I've got php code that works as expected to authenticate a user against an Active Directory domain using LDAP. The same domain now has a one-way trust enabled – users in the trusted domain don't appear to be visible.

Example group named "mygroup" with the members:

local_dir_1
local_dir_2
foreign_dir_1

Queried with the filter:

(memberof=CN=mygroup,ou=....,dc=...)

Returns the following members:

local_dir_1
local_dir_2

Within the domain controller however all 3 users are visible as members of the group.

I assumed authentication for users against the trusted domain were failing as I had the wrong base DN or similar so wanted to enumerate the group members to better understand how the foreign users would appear.

Has anyone experienced success executing LDAP searched and obtaining data from objects that exist within a trusted domain?

Best Solution

If communicating via LDAPS the directory may provide more information (not verified however), but under straight LDAP none of the foreign directory samaccountnames are accessible.

All information is visible via Kerberos authenticated messaging - i.e. if you join a unix server to the domain via Samba then the Samba tools have full visibility.