Showing results for 
Search instead for 
Did you mean: 

Nested AD groups - Cross domain

Respected Contributor

Re: Nested AD groups - Cross domain

Hi Stewart,

Yes, either of those options would work for giving the user the display of which domain/realm they will be logging in against. I have seen both used (together and separately); whichever you think would work best for your users.


Re: Nested AD groups - Cross domain


Ok...this problem is marked as solved, but I had a similar problem with users in multiple domains, so maybe my solution can help you in any way.

Here we have a classic domain setup with a root domain and some sub-domains.

..and so on.

The users of the SA can be from any of these domains, which means the LDAP lookup had to start at the root domain.


Because of the size and number of the domains, the LDAP lookup took inacceptable long (40+ seconds).
An AD/NT lookup ran into timeout after 2 minutes or so. So I had to search for another solution.

My Idea then was to build some kind of dynamic BASE DN to let the LDAP lookup start directly within the users domain.

To achieve this, I configured the Reply-message attribute on the Radius server (we use Radius for the first authentication) to reply with the (sub)domain name of the user who logs in.

JohnDoe Auth-Type := Local, Cleartext-Password := "password"

In the LDAP Auth Server settings I then used the system variable "userAttr.<auth-attr> to dynamically build the correct
BASEDN for the lookup.

Looks like this

dc=<[email protected]>,dc=domain,dc=com

When a users logs in, this resolves to ....


With this Base DN, the LDAP Server of the root domain directly replies with a redirect to the domain controller of the users domain, which is then queried for the user attributes.

Maybe my solution can help in any way.


Super Contributor

Re: Nested AD groups - Cross domain

That is genius.


Re: Nested AD groups - Cross domain

Agreed! Great information. We have a radius server so hopefully we can achieve the same thing. Our domains do not share a commmon sufix or prefix, but I don't suppose that shouldn't matter too much. I guess I could just provide the whole base DN in the reply:

JohnDoe Auth-Type := Local,

Cleartext-Password := "password"


Then use Base DN under auth server as "<[email protected]>_"

Hopefully this will work too._