Active Directory, Child domain logins with ad login authority, help needed!
807578Oct 13 2006 — edited Jul 17 2007Hello, I've successfully configured SGD 4.2.983 to login using Active Directory as a login authority. In my base domain let's say domain.com) I can create users, and use DSI to publish apps based on groups, etc.
When I create a child domain (child1.domain.com) a user from this domain cannot login to the server. I've setup my kerberos (krb5.conf file) to contain the child domain, and using kinit, can get a ticket from the child1.domain.com domain, but when I try to login with the web interface, I get: (this is using either user@child1, user@child1.domain.com or either with caps or without)
2006/10/13 12:18:21.763 (pid 4593) server/ldap/error #1160756301763
Sun Secure Global Desktop Software (4.2) ERROR:
LDAP call failed: lookupLink-.../_ldapmulti/forest/("DC=CHILD1,DC=DOMAIN,DC=COM") 1ms javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'CHILD1.DOMAIN.COM'
]; remaining name 'DC=CHILD1,DC=DOMAIN,DC=COM'
A call to LDAP failed. This might mean LDAP users cannot log in.
Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.
From other articles on the net, I've found that the ldap error code seems to be a referral error. But couldn't find anything so far in the docs or on this forum concerning my problem.
Does anyone have a similar working setup? This server is going to be used by many separate divisions, and using child domains simplifies management by allowing people from each division to manage their division entirely.
Thanks for your time!