Solved

Users in Child Domains cannot log in

Posted on 2012-03-29
4
652 Views
Last Modified: 2012-08-14
We are trying to implement TikiWiki Groupware for my organization. My problem is getting the LDAP function to allow users in my child domains to login. Currently it only allows users from the parent domain to login. Here is the issue I posted to the TikiWiki Community:

My company has 4 child domains (representing 4 remote offices) in addition to the parent domain set up in Active Directory.
So, it looks something like this:

Parent: domain.com (This is my Base DN)
Child1: remotesite1.domain.com
Child2: remotesite2.domain.com
Child3: remotesite3.domain.com
Child4: remotesite4.domain.com

Each child domain has users that are not present on the parent domain (Base DN), which is the main office.

Attached is a screenshot of the set up I currently have on my LDAP tab (without specifics)

Any user registered in the Active Directory parent domain (BASE DN) can log into the Tiki with no problem.

Any user who logs in from any of my child domains fails to log in with a "Invalid password" message. I can reset the password, triple check it's being entered in properly, and the result it ALWAYS the same.

The response I received back from the community was:

So far as I know, Tiki is not currently capable of authenticating against multiple domains (or multiple LDAP servers). The code could be modified to search, say, the global catalog for the user's DN and then authenticate against the corresponding domain, but this would be custom coding.

My question is how would I modify the code to search the global catalog? I'm more of a Network type, not a coding type. I've attached the same screenshot I used for this forum. If more information is needed let me know. I would love to get this working.
0
Comment
Question by:ShoanAmuse
  • 2
  • 2
4 Comments
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 500 total points
ID: 37784602
Depending on how that application is configured, you may not be able to use the Global catalog, since they bind is slightly different.
If they've hardcoded that in the application and all you're entering is the BASE DN, then not, it'll not work.

But here are the links for how to bind to the Global Catalog.

http://technet.microsoft.com/en-us/library/cc978012.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675564(v=vs.85).aspx

P.S. I don't see any screenshots.
0
 

Author Comment

by:ShoanAmuse
ID: 37801328
My apologies for not responding sooner, I have been away from the office for several days. I am checking into this now.

I had made a modification to the question after posting and forgot to re-include the attachment, I am including that with this comment.
tikiexample.JPG
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 37801470
According to this document, you should be able to search the Global catalog.
http://technet.microsoft.com/en-us/library/cc978012.aspx

In your config change the following:
1. Ensure that you host is a Global Catalog.
You can run "nslookup gc._msdcs.%USERDNSDOMAIN%" to find all the GC's in your domain
2. Change the port to "3268"
3. Change the Scope to "Entire Directory"
4. Make sure that you Base DN is set to the root domain "dc=domain,dc=com"
0
 

Author Closing Comment

by:ShoanAmuse
ID: 37802436
Thanks for the help! I have tried all the suggested options with this and it appears it is just a major flaw in the design of the Groupware for TikiWiki. I have put in a request to have the option edited to be able to include child domains.

According to the way the code is set up, all the above suggestions would allow users in multiple domains to access the TikiWiki, but no matter how it is modified to include the Global Catalog, child domain users still cannot login.

I hope they can develop a solution. Thanks so much for your suggestions anyway!
0

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now