The setup:

There is a central AD domain (CENTRAL) and multiple seperate forests, each of which has their own domain (BRANCH1, BRANCH2, BRANCH3)

有一个*AD域(CENTRAL)和多个独立的森林,每个森林都有自己的域(BRANCH1,BRANCH2,BRANCH3)

There are 2-way domain trusts between CENTRAL and all other domains.

CENTRAL和所有其他域之间存在双向域信任。

An application I'm working on runs on the CENTRAL domain and performs LDAP searches on all domains, using the credentials CENTRAL\ldapreader.

我正在处理的应用程序在CENTRAL域上运行,并使用凭据CENTRAL \ ldapreader在所有域上执行LDAP搜索。

This works perfectly for CENTRAL and BRANCH1, but BRANCH2 and BRANCH3 refuse the connection with an invalid credentials error. If the search instead uses an account in those domains (BRANCH2\ldapreader, etc) then the search works fine.

这适用于CENTRAL和BRANCH1,但BRANCH2和BRANCH3拒绝连接时出现无效的凭据错误。如果搜索使用这些域中的帐户(BRANCH2 \ ldapreader等),则搜索工作正常。

What level of permissions are needed to read AD as an LDAP server? Everything I've found indicates that this is allowed for AUTENTICATED USERS, which should work fine with CENTRAL\ldapreader due to the two way trust but that isn't the behavior we're getting.

将AD读取为LDAP服务器需要多少级别的权限?我发现的所有东西都表明这是允许的AUTENTICATED USERS,由于双向信任,它应该可以与CENTRAL \ ldapreader一起使用,但这不是我们得到的行为。

1 个解决方案

#1

---