Connection does not work when using a user from a different domain

[afurkanoruc]

When trying to connect to LDAP server in Domain A using a user in Domain B, following error is thrown, even though the credentials are 100% correct:

ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

Here's the code example:

import ldap3

server = ldap3.Server(host="LDAP_SERVER_IN_DOMAIN_A", port=389, get_info=ldap3.ALL)
conn = ldap3.Connection(server, user="DOMAIN_B\\USER", password="PASSWORD", auto_bind=True)

Same code works when LDAP server and user are in the same domain.

I have found other people facing the same problem in Stack Overflow, but no reply:
https://stackoverflow.com/questions/55971981/python-3-ldap3-connect-to-ad-with-user-from-a-different-domain

Is this not supported by ldap3 at all? Or is it just a bug? I appreciate any support.

Thanks,
Furkan

[zorn96]

Hi @afurkanoruc !

So you’re using an LDAP simple bind. This type of authentication generally doesn’t work for cross-domain users because the user’s password doesn’t live in the trusting domain you’re logging into. Also Simple binds often don’t carry domain info

Instead, you’ll want to try either NTLM or Kerberos authentication. With NTLM, the domain controller in the second domain can use passthrough authentication to check up against your user’s primary domain. With kerberos, your client can exchange their TGT for their primary domain to get a ldap service ticket in the second domain at the time of auth

Kerberos requires a bit more client-side configuration, but it is supported (assuming the underlying OS is configured for sasl and kerberos). But that doesn’t support using a password. To use a password, and given your style of username specification, it seems like you might want to try ntlm authentication

the docs for ldap3 have info on it