Unable to perform the cross domain forest user search.

[chapcoder]

Hi ,
i have the forest setup forest1 ( ex1.local) and forest2 (ex2.local) . i have created bidirectional trust between these two.
when i created bind with user in ex1.local and perform the search of user in the ex2.local im getting 0 results.
two approaches i followed:

1. Connection ex1.local as global catalog with port 3268. once bind successful i perform the search with empty baseDN
   searchRequest := ldap.NewSearchRequest(
   "", // The base dn is empty for GC server
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
   fmt.Sprintf("(&(objectClass=organizationalPerson)(displayName=%s))", "denis"), // The filter
   []string{"dn", "cn", "displayName"}, // A list attributes to retrieve
   nil,
   )
   this returning only the user present in the ex1.local . denis is present in the ex2.local also but that user details is not getting retrieved.
2. Get the Trust partner details of ex1.local and perfrom the user search in the ex2.local using the fetched trust details.
   but its giving 0 results.
   searchRequest := ldap.NewSearchRequest(
   "DC=ex1,DC=local", // The base dn to search
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
   "(objectClass=trustedDomain)", // The filter to apply
   []string{"trustPartner", "trustDirection", "trustType"}, // A list attributes to retrieve
   nil,
   )
   this gives the trustpartner (ex2.local), trustType:2 , trustDirection:3
   using this detial im perfroming user search, but i am getting 0 results
   userSearchRequest := ldap.NewSearchRequest(
   "DC=ex2,DC=local", // The base dn to search
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
   "(&(objectClass=user)(cn=usrtest))", // The filter to apply
   []string{"cn", "mail", "memberOf"}, // A list attributes to retrieve
   nil,
   )
   3)use the Trust DistinguishName detail in the baseDN . I have fetched using the powershell command in the ex1.local AD **Get-ADTrust -Filter *** . but getting zero results.
   userSearchRequest := ldap.NewSearchRequest(
   "CN=ex2.local,CN=System,DC=ex1,DC=local", // The base dn to search
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
   "(&(objectClass=user)(cn=usrtest))", // The filter to apply
   []string{"cn", "mail", "memberOf"}, // A list attributes to retrieve
   nil,
   )

Please let me know does go-ldap is not supported yet for cross domain search ?

[cpuschma]

Hi,

I can replicate your first point, but it seems this is the regular behavior of the Active Directory. The go-ldap library has no special implementations for specific directory servers, like Active Directory, OpenLDAP or 389 Server, except for a few LDAP controls.

I cannot replicate point 2, in a domain with atleast one trusts I can query the trust objects.

[chapcoder]

@cpuschma thanks for reply.
What I wanted to achieve is bind with AD1 forest and perform search of user of AD2 using baseDN of AD2. But I'm not able to perform search .Somewhere I read cross domain forest is not possible in go-ldap . What I am trying is simple bind with 389 port with AD forest 1. In search request I'm giving basedn as dc=ex2,dc=local. But search is giving error. Please let me know how we can perform cross domain forest user search using go-ldap.

[chapcoder]

Hi @cpuschma could you please provide any suggestion. there is use case to perform the cross domain AD forest user search. if there are different sub domain in the same forest. i am able to perform the search . but when i am trying to perform the cross domain user search using go-ldap i am getting error. in the python that has LDAP libraries with support for cross-domain searches. For example, the ldap3 library in Python supports automatic referral chasing, which can handle cross-domain searches. When i see there is no feature auto-referal available in the go-ldap library. we need to achieve this in the golang using go-ldap library. is there alternative i can achieve this please do let me know as soon as possible.