You are right, we narrowed down our group search filter yesterday to only search the container holding our group memberships and it's no longer reaching out to the child domains. We've run across another issue though and I'm hoping you might be able to help; the SA sits in one environment, and we have a one-way trust relationship with another DC in a separate forest. I'm able to authenticate users in the local domain on the appliance but not from the trusted domain. According to JTAC, authentication with AD using cross-forest trust is not supported. Is it possible to define a RADIUS server as auth, and still use LDAP as the authorization server to pull group memberships? I'm a bit cloudy on how the group fetching wil work when using RADIUS, or if you have any other suggestions that would be great.
... View more