____Hello Ok...this problem is marked as solved, but I had a similar problem with users in multiple domains, so maybe my solution can help you in any way. Here we have a classic domain setup with a root domain and some sub-domains. domain.com aaa.domain.com bbb.domain.com ..and so on. The users of the SA can be from any of these domains, which means the LDAP lookup had to start at the root domain. dc=domain,dc=com Because of the size and number of the domains, the LDAP lookup took inacceptable long (40+ seconds). An AD/NT lookup ran into timeout after 2 minutes or so. So I had to search for another solution. My Idea then was to build some kind of dynamic BASE DN to let the LDAP lookup start directly within the users domain. To achieve this, I configured the Reply-message attribute on the Radius server (we use Radius for the first authentication) to reply with the (sub)domain name of the user who logs in. JohnDoe Auth-Type := Local, Cleartext-Password := "password" Reply-Message:="aaa" In the LDAP Auth Server settings I then used the system variable "userAttr.<auth-attr> to dynamically build the correct BASEDN for the lookup. Looks like this dc=<
[email protected]>,dc=domain,dc=com When a users logs in, this resolves to .... dc=aaa,dc=domain,dc=com With this Base DN, the LDAP Server of the root domain directly replies with a redirect to the domain controller of the users domain, which is then queried for the user attributes. Maybe my solution can help in any way. Marc
... View more