On 10/06/14 20:39, Jamie Baddeley wrote: > > > Has anyone done this before? If so I'll push back on the AD admin > > to try harder. >
You can't do it using a single LDAP connector. AD trusts are not transitive across forests, so an LDAP connection to an AD domain controller can only authenticate users in that forest - not any other. And as you've discovered, almost every "LDAP enabled" product out there appears to be ignorant of that fact and only support a single forest (they think domain, but it is forest). Either you can try to create an LDAP proxy that merges several LDAP backends into one (good luck with that, I never managed it), or you need to look at something besides LDAP. Owncloud supports a "webdav authentication" backend too - you could use that instead. Basically it takes the username and password the user types into the form and throws it at an HTTP backend of your choice: you could pass that to (say) IIS - which can do multi-forest authentication. However, you will lose all ability to manage users within owncloud as that backend doesn't have the appropriate hooks owncloud needs. You could also look at SAML - basically you need to move the multi-forest problem off onto a backend that can support it All conjecture on my part, but one of them might work -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
