You can do an x-domain simple bind within the forest. You can not do it x-forest.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, January 23, 2007 3:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] "Who Am I" request I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. ----- Original Message ----- From: "Alexandr Kara" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] "Who Am I" request Let's say I did a simple bind with user "TestUser", but the user record is actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can (as far as I know) only be recognized by having sAMAccountName "TestUser". I could probably find the user by searching under "DC=company,DC=com" with a filter "(sAMAccountName=TestUser)", but I think it would impose a substantial load on the Active Directory server, because not all users are under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): > If you did a bind to the directory with that user object, then you should > be able to do a search to find the user object you used for the bind. > This > might only be complicated if you authenticated with a foreign domain user, > but I doubt you are doing that. > > The exact nature of the search would depend on the user name format you > are > using in the bind. If you did a simple bind with the DN, then you already > have the path to the user object. :) > > Joe K. > > ----- Original Message ----- > From: "Alexandr Kara" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Tuesday, January 23, 2007 11:26 AM > Subject: Re: [ActiveDir] "Who Am I" request > > > Hello Dmitri, > thanks for your reply. The server I connect to is pre-LH (Windows 2003 I > think), which doesn't support WhoAmI. > You suggested that I read tokenGroups, but I have no "user object" to read > it > from. All I have generic connection to a LDAP server (I need to use the > OpenLDAP library for compatibility). > Can I get the user object by some other means? > > Thanks a lot, > Alexandr > > Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): > > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support > > WhoAmI extended operation per RFC. In addition, they support > > rootDSE/tokenGroups attribute, which is exactly what you need to check > > "self group membership". > > > > If you have pre-LH AD, then what you can do is read tokenGroups off the > > user object (which you can find using %USERDOMAIN% and %USERNAME% vars > > if you have an interactive session, or by looking up user SID from the > > token). Note tokenGroups value can vary slightly depending on which DC > > you connect to. If you want deterministic results, read > > tokenGroupsGlobalAndUniversal (which excludes domain local groups). > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara > > Sent: Monday, January 22, 2007 6:46 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] "Who Am I" request > > > > Hello everybody, > > I am trying to get the CN of a user currently connected to Active > > Directory > > (using a 3rd party library). > > > > I tried the "Who am I?" extended operation from RFC 4532, but I got an > > error > > 120 or 0x78 (I don't know if it is useful). > > Do you know of another method to get the CN? I need it to find out if > > the user > > is part of a group. > > > > Thanks a lot, > > Alexandr > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx [EMAIL PROTECTED])
