Suppose an Active Directory domain controller smallapp.local which trusts another domain bigenterprise.local.
There is a user Alice in the bigenterprise.local and she is able to login into smallapp.local with her password using LDAP bind. As smallapp.local does not have the hash of her password, I assume it must be somehow forwarded to her "home" domain bigenterprise.local.
How does that happen?
For more background, I'm using node library ldapjs on a Windows server like this and the authentication succeeds just fine, but I don't understand how Windows validates that password belonging to another domain.
const ldap = require('ldapjs');
const client = ldap.createClient({ url: 'ldap://localhost' });
const disti = 'CN=Alice,CN=Users,DC=XXX,DC=YYY';
const password = 'mypass';
client.bind(disti, password, (err) => { /* do things */ })
