0

I'm trying to write an efficient LDAP Query that returns results from another Forest/Domain. There is not a two-way trust in place. There are not conditional forwarders in place. What I do have is a verified network connection, an IP address and a service account and password to use.

This is the basic LDAP code I usually use.

        DirectoryEntry deParent = new DirectoryEntry("LDAPS://000.0.000.00/DC=bob,DC=earl,DC=john,DC=whatever");
        deParent.Username = "Domain\\UserName";
        deParent.Password = "Password";
        deParent.AuthenticationType = AuthenticationTypes.Secure;            
        DirectorySearcher ds = new DirectorySearcher(deParent, qry, columns, SearchScope.Subtree);

I know this is a little broad spectrum, but there's a lot of conflicting information out there. So.

  1. Is a trust REQUIRED to perform a cross forest query? Query only, no login except for the service account.
  2. Will a basic DirectoryEntry call like above work?
  3. Can anyone please provide an example of a working cross forest query in c#?
Jack
  • 181
  • 1
  • 9
  • Using the global catalog would help as well (port 3268). The GC contains a read only replica of the forest, so redirecting is generally no required. The replica only contains certain values, so if you're searching on anything out of the ordinary, this won't work – Simon Halsey Dec 24 '13 at 00:34
  • In this case, port 3268 wasn't open to us. I'll keep that in mind though for performance improvement as time goes on. – Jack Dec 26 '13 at 11:18

2 Answers2

1

1.Is a trust REQUIRED to perform a cross forest query? Query only, no login except for the service account.

No, a trust isn't required to perform a cross forest query.

2.Will a basic DirectoryEntry call like above work? Not even a little bit. The standard Directory Entry method would/might work if appropriate trusts were involved.

3.Can anyone please provide an example of a working cross forest query in c#? This Method works.

And This has more information.

and just in case, if you don't have a dns entry for the forests FQDN, just update your HOSTS file to point it in the right place.

And even more information. If your Search Request is extremely slow (~48-60 seconds), be sure to turn referral chasing OFF! 

    connection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
Community
  • 1
  • 1
Jack
  • 181
  • 1
  • 9
0

So is there an error? Your combination of LDAPS and an IP is likely a problem as the certificate won be valid. I'd expect also in this case that your AuthN type should be Basic instead.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • In that case I would need a conditional forwarder on my local Domain to resolve the actual name? e.g. LDAPS://bobs.happy.little.forest instead of LDAPS://123.123.123.123? – Jack Dec 16 '13 at 14:49