Cross-domain role assignment is supported as it always was, no changes. Cross-domain user-group assignment is also support EXCEPT for the case where you are using multiple LDAP identity backends (e.g. each domain is backed by a different LDAP) and the user and group in question are in different LDAPs. The consequences of lifting this restriction would be that listing the membership of a group might involve querying an unlimited number of LDAP servers. I'd want to really understand the user case if we went down that route.
Some have suggested (e.g. ayoung) that we should not be supporting user-group membership across domains at all - this is up for discussion. If we were to make a change here, we'd obviously have to go through a long deprecation cycle.
Cross-domain role assignment is supported as it always was, no changes. Cross-domain user-group assignment is also support EXCEPT for the case where you are using multiple LDAP identity backends (e.g. each domain is backed by a different LDAP) and the user and group in question are in different LDAPs. The consequences of lifting this restriction would be that listing the membership of a group might involve querying an unlimited number of LDAP servers. I'd want to really understand the user case if we went down that route.
Some have suggested (e.g. ayoung) that we should not be supporting user-group membership across domains at all - this is up for discussion. If we were to make a change here, we'd obviously have to go through a long deprecation cycle.