Going to add my $0.02 here, but yes AD is not LDAP, it looks like and behaves like ldap in many  cases, but its the MS flavor,  with Manny changes, AD and LDAP are not interchangeable... AD is its own creature....  I grow tired of explaining this...  one is standards based the other is NOT....




On Apr 16, 2020, at 2:35 PM, Quanah Gibson-Mount <quanah@symas.com> wrote:



--On Thursday, April 16, 2020 2:10 PM +0000 "Kleber S. Carvalho" <kleber.s.carvalho@avanade.com> wrote:

First, we performed a valid test by performing authentication and a
simple query directly to the minca.com domain, with the command:

ldapsearch -H 'LDAP: //minca.com: 3268' -D 'cn = Administrator, cn =
users, dc = minca, dc = with' -w Avanade @ 2020! -b 'cn = users, dc =
minca, dc = com'

However, when performing this procedure and authenticating the user
minca@minca.com in the child.klabs.com domain using the ldapsearch tool,
the result was an error according to file
7_openldaperror_indirectaccess.JPG stating invalid credentials.

Expected I would think, if using a simple bind.

However, a .net application was created to perform this same function and
it worked, as per file 9_dotNetApp_success.JPG.

AD is not LDAP.

Finally, the conclusion we are reaching is that the openldap tool does
not work directly between forests, but only on the same tree. We would
like to know if this understanding is correct or if this is really a bug
in the tool.

AD is not LDAP.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>