LDAP Bind

[Sawyer]

Hello all

We have a forest level trust between two 2003 native mode forests. In
forestA we have a user account that need to be able to pull user information
using LDAP to from forestB. We had the admin in forestB add the account from
forestA to a domain local group in forestB. I am now testing this
configuration out using LDP.exe. I can make a connection to a DC in forestB,
but i cant do a bind using the account from forestA. I dont think the
account needs elevated permissions in order to do a bind, because i can do a
bind to my local domain using any AD account and i can view a basDN. When i
try and do a bind to forestB using the account from forestA i get error
"NTauthidentity:user=itsm;PWD unavailable.

I'm assuming if i cant do a ldap bind using ldp.exe i wont be able to pull
user information from the other forest?

Thanks

[Joe Kaplan]

Windows "secure" bind should work here, but you will need to provide a
domain for a qualified user name. Are you doing that? I don't think simple
bind will work in this case but I can't remember for sure. Hopefully you
don't require simple bind.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Sawyer" <Gmail@gmail.com> wrote in message
news:A7C2A54F-2A12-4765-9B27-1D7C88116B81@microsoft.com...
> Hello all
>
> We have a forest level trust between two 2003 native mode forests. In
> forestA we have a user account that need to be able to pull user
> information using LDAP to from forestB. We had the admin in forestB add
> the account from forestA to a domain local group in forestB. I am now
> testing this configuration out using LDP.exe. I can make a connection to a
> DC in forestB, but i cant do a bind using the account from forestA. I dont
> think the account needs elevated permissions in order to do a bind,
> because i can do a bind to my local domain using any AD account and i can
> view a basDN. When i try and do a bind to forestB using the account from
> forestA i get error "NTauthidentity:user=itsm;PWD unavailable.
>
> I'm assuming if i cant do a ldap bind using ldp.exe i wont be able to pull
> user information from the other forest?
>
> Thanks

[Sawyer]

Hello Joe

in ldp.exe what option is the "secure bind" i do provide the local domain
name of the user account in forestA that is trying to perform the bind to
forestB

Thanks again

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:OtP3q3$0JHA.1372@TK2MSFTNGP05.phx.gbl...
> Windows "secure" bind should work here, but you will need to provide a
> domain for a qualified user name. Are you doing that? I don't think
> simple bind will work in this case but I can't remember for sure.
> Hopefully you don't require simple bind.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> "Sawyer" <Gmail@gmail.com> wrote in message
> news:A7C2A54F-2A12-4765-9B27-1D7C88116B81@microsoft.com...
>> Hello all
>>
>> We have a forest level trust between two 2003 native mode forests. In
>> forestA we have a user account that need to be able to pull user
>> information using LDAP to from forestB. We had the admin in forestB add
>> the account from forestA to a domain local group in forestB. I am now
>> testing this configuration out using LDP.exe. I can make a connection to
>> a DC in forestB, but i cant do a bind using the account from forestA. I
>> dont think the account needs elevated permissions in order to do a bind,
>> because i can do a bind to my local domain using any AD account and i can
>> view a basDN. When i try and do a bind to forestB using the account from
>> forestA i get error "NTauthidentity:user=itsm;PWD unavailable.
>>
>> I'm assuming if i cant do a ldap bind using ldp.exe i wont be able to
>> pull user information from the other forest?
>>
>> Thanks
>

[Joe Kaplan]

If you have one of the more recent versions of ldp.exe and the bind dialog
has radio buttons for the bind types, the top two use Negotiate auth by
default which is what you want. The second option (bind with credentials)
would be the one you would use since you want to supply specific
credentials.

I can't remember the older versions as well but I think as long as the UI
shows the domain box, it should be doing Negotiate auth (secure bind). If
the trust exists, the bind should succeed if the credentials are valid.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Sawyer" <Gmail@gmail.com> wrote in message
news:DFF51E2E-AA15-469A-804B-714724204882@microsoft.com...
> Hello Joe
>
> in ldp.exe what option is the "secure bind" i do provide the local domain
> name of the user account in forestA that is trying to perform the bind to
> forestB
>
> Thanks again
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:OtP3q3$0JHA.1372@TK2MSFTNGP05.phx.gbl...
>> Windows "secure" bind should work here, but you will need to provide a
>> domain for a qualified user name. Are you doing that? I don't think
>> simple bind will work in this case but I can't remember for sure.
>> Hopefully you don't require simple bind.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Sawyer" <Gmail@gmail.com> wrote in message
>> news:A7C2A54F-2A12-4765-9B27-1D7C88116B81@microsoft.com...
>>> Hello all
>>>
>>> We have a forest level trust between two 2003 native mode forests. In
>>> forestA we have a user account that need to be able to pull user
>>> information using LDAP to from forestB. We had the admin in forestB add
>>> the account from forestA to a domain local group in forestB. I am now
>>> testing this configuration out using LDP.exe. I can make a connection to
>>> a DC in forestB, but i cant do a bind using the account from forestA. I
>>> dont think the account needs elevated permissions in order to do a bind,
>>> because i can do a bind to my local domain using any AD account and i
>>> can view a basDN. When i try and do a bind to forestB using the account
>>> from forestA i get error "NTauthidentity:user=itsm;PWD unavailable.
>>>
>>> I'm assuming if i cant do a ldap bind using ldp.exe i wont be able to
>>> pull user information from the other forest?
>>>
>>> Thanks
>>
>

[Sawyer]

Yea that worked, i was able to do a ldap bind using ldp.exe from a 2008 DC
"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:%23jqGM$D1JHA.6004@TK2MSFTNGP02.phx.gbl...
> If you have one of the more recent versions of ldp.exe and the bind dialog
> has radio buttons for the bind types, the top two use Negotiate auth by
> default which is what you want. The second option (bind with credentials)
> would be the one you would use since you want to supply specific
> credentials.
>
> I can't remember the older versions as well but I think as long as the UI
> shows the domain box, it should be doing Negotiate auth (secure bind). If
> the trust exists, the bind should succeed if the credentials are valid.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> "Sawyer" <Gmail@gmail.com> wrote in message
> news:DFF51E2E-AA15-469A-804B-714724204882@microsoft.com...
>> Hello Joe
>>
>> in ldp.exe what option is the "secure bind" i do provide the local domain
>> name of the user account in forestA that is trying to perform the bind to
>> forestB
>>
>> Thanks again
>>
>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>> news:OtP3q3$0JHA.1372@TK2MSFTNGP05.phx.gbl...
>>> Windows "secure" bind should work here, but you will need to provide a
>>> domain for a qualified user name. Are you doing that? I don't think
>>> simple bind will work in this case but I can't remember for sure.
>>> Hopefully you don't require simple bind.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> "Sawyer" <Gmail@gmail.com> wrote in message
>>> news:A7C2A54F-2A12-4765-9B27-1D7C88116B81@microsoft.com...
>>>> Hello all
>>>>
>>>> We have a forest level trust between two 2003 native mode forests. In
>>>> forestA we have a user account that need to be able to pull user
>>>> information using LDAP to from forestB. We had the admin in forestB add
>>>> the account from forestA to a domain local group in forestB. I am now
>>>> testing this configuration out using LDP.exe. I can make a connection
>>>> to a DC in forestB, but i cant do a bind using the account from
>>>> forestA. I dont think the account needs elevated permissions in order
>>>> to do a bind, because i can do a bind to my local domain using any AD
>>>> account and i can view a basDN. When i try and do a bind to forestB
>>>> using the account from forestA i get error
>>>> "NTauthidentity:user=itsm;PWD unavailable.
>>>>
>>>> I'm assuming if i cant do a ldap bind using ldp.exe i wont be able to
>>>> pull user information from the other forest?
>>>>
>>>> Thanks
>>>
>>
>