Hi Rick,
I did some research with the underlying python module:
https://github.com/cannatag/ldap3/issues/120
My understanding so far is the following:
The ldap3 module can follow referrals and will contact the
trusting.com
domain controller.
But this will fail when doing a simple bind or NTLM or even SASL
DIGEST-MD5.
Doing a wireshark on the Windows DC/DC I saw that they are doing SASL
GSSAPI.
Well - and somehow this makes sense.
So I guess that
1. privacyIDEA, the LDAP searching system needs to be member of the
kerberos trusted domain. Otherwise the trusting domain would not trust a
request issued from a machine, not in the trusted domain.
2. the LDAP search via referral on the trusting domain needs to be
performed with a Kerberos ticket.
This means that we need to put privacyIDEA into the trusted domain and
slightly modify the code to use SASL GSSAPI.
We could however try to use the univention corporate server, which
should be easily joined into the trusted domain and which also can run
privacyIDEA.
Still, we need to deal with some obstacles. Required python packages
(python-gssapi) are not available for Debian/Ubuntu...
So this is some kind of research/development task, which requires a bit
more effort.
As a matter of fact my company NetKnights provides services and support
for privacyIDEA. If you are interested in following this path, we can
take this off-list.
In the end it would be great to also add support for Kerberos/GSSAPI and
trusted domains to privacyIDEA.
Kind regards
Cornelius