auth to multiple AD domains
ibexmonj opened this issue · 3 comments
ibexmonj commented
Hi
I have this module configured and running fine with 1 of our domains.
I would like to expand this configuration to be able to auth against 2 separate AD domains. We have multiple internal domains where are user accounts are provisioned.
E.g.
- define 2 ldap_server blocks for each of the domains with specific bind accounts.
- lookup user in ldap1,server if found proceed with auth; if not found, check ldap2 server.
Is this supported ?
ibexmonj commented
Is this possible ?
syntruth commented
It should be, with something like this:
ldap_server AD1 {
url ldaps://<AD1 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
}
ldap_server AD2 {
url ldaps://<AD2 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
}
And then in your server block:
server {
...
auth_ldap "Internal Content";
auth_ldap_servers AD1;
auth_ldap_servers AD2;
...
}
...that's based on what I'm doing on our production servers, but in my case, it's for redundancy purposes, and not because the users are defined on separate servers. I would think, however, that if it failed on AD1, it would then try AD2.
ibexmonj commented
It does indeed work.
It looks for user in AD1 and if not found looks in AD2.
Thanks!