Multiple Servers

[jmsolutionsgroup]

Is there a way to configure multiple Ldap servers?

I'm thinking that the Startup could look something like below. .AddLdapUsers<ActiveDirectoryAppUser>(Configuration.GetSection("activeDirectory1"), UserStore.InMemory).AddLdapUsers<ActiveDirectoryAppUser>(Configuration.GetSection("activeDirectory2"), UserStore.InMemory);

I'm not sure how to configure and specify which Active Directory server to connect, currently when I add multiple user stores it only searches the second addition.

[Nordes]

Hi, since you're the second one asking, I will look into it. It require some works.

At the same time I'll try to update the demo.

I don't have much time recently. So don't expect this to be done really soon :).

On Wed, Oct 24, 2018, 6:39 AM uchetfield notifications@github.com wrote:

Is there a way to configure multiple Ldap servers?

I'm thinking that the Startup could look something like below. .AddLdapUsers(Configuration.GetSection("activeDirectory1"), UserStore.InMemory).AddLdapUsers(Configuration.GetSection("activeDirectory2"), UserStore.InMemory);

I'm not sure how to configure and specify which Active Directory server to connect, currently when I add multiple user stores it only searches the second addition.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Nordes/IdentityServer4.LdapExtension/issues/10, or mute the thread https://github.com/notifications/unsubscribe-auth/AAbQbB35El3EKHtdg3QY569d3BZspcbgks5un4ysgaJpZM4X2t94 .

[jmsolutionsgroup]

I have submitted pull request #11 as an initial attempt to solve this issue.

[murattdogan]

.AddLdapUsers(Configuration.GetSection("multipleActiveDirectory"), UserStore.InMemory); Multiple multipleActiveDirectory or OpenLdapAppUser MultipleLdapAppUser ?

[Nordes]

@uchetfield I looked a bit, I think there's a better way of doing it. I will look probably this weekend.

[jmsolutionsgroup]

@murattdogan I updated my fork of the appsettings to clear up your question. You need to have one section of multipleActiveDirectory that contains several hosts.

[murattdogan]

I'm trying to query openldap and active directory ldap with a single Ldap AppUser. In our structure Open Ldap student Academic Staff Active Dricetory Ldap have I want to combine these two applications. So how do we do it with MultipleLdapAppUser.

[jmsolutionsgroup]

@murattdogan Unfortunately this cannot be done with my solution. You can have multiple hosts of the same type but cannot have both open ldap and active directory at the same time. @Nordes has stated that there is a better way. I'm open to any suggestions but for the time I committed I could not come up with a working solution to utilize both options.

[Nordes]

Yes, there's a better way. It requires a lot of changes. I will commit once I can make a "buildable" branch. I am now fixing the in memory/redis configuration and after I think I can do a commit and push. It will not be working fully yet but it will give a good idea how it can be achieved. Maybe later this week I will be able to find some time.

Basically:

• The call .AddLdapUsers<OpenLdapAppUser>(Configuration.GetSection("ldapOpenLdap"), UserStore.InMemory) is not forcing you to use OpenLdapAppUser, you can actually write your own logic. So you could potentially merge everything together (2 different type of LDAP), but this will require you to work harder ;) of course.
• The changes are in the LdapConfig, allow a filter
• Configuration: Ability to receive a list OR a unique item (retro-compatibility
• SearchUser needs to be totally changed in order to search accross multiple servers
• Cache (Memory/Redis) needs to be reworked in order to use an ICollection<LdapConfig> instead of a single configuration.

(Some other changes are also required)

[Nordes]

Please test my branch features/multi_ldap. I tried it at home and it seems OK for me.

You can configure multiple ldap from the same type (openldap + openldap + ...) OR (active directory + active directory + ...)

[murattdogan]

configure multiple ldap from the same type (openldap + active directory+ ...) ?

[Nordes]

No same type ... for users. As you may know, the attribute mapping for users in Active directory is different than mapping of user attributes in OpenLdap. The only way you could make them work together is if you make a custom "LdapUser" by implementing the IAppUser (see existing implementation).

So basically what I meant was:

• OpenLdap and ActiveDirectory in the current state are mutually exclusive EXCEPT! if you use the same schema regarding all the attributes and types for your OpenLdap, for which, I really doubt you're doing.

[Nordes]

For example here:

In case you have the EXACT same attributes you want to map your users (AD/SMB/OpenLdap/etc.) then yes, you can use multiple configurations without any issue. But that case is probably really rare. If you wish and that you have a different schema (SMB per say), then the current code of the LdapExtension allow you to extend it. Please look at the code and make your own implementation if you want to mix AD and OpenLdap. The current built-in is not made for that scenario except, as I said previously, if you have the exact same schema for those attributes.

For the current implementation of many servers (which I don't really recommend), you really need a filter to avoid having the same user existing in both system. Otherwise it will take the first one that match and you might expect strange behaviors.

[Nordes]

Branch merged. More tests will be needed before a release as a nuget package.

[jmsolutionsgroup]

Thank you for all of the changes. I have created pull request #14 that allows the user to specify a domain without breaking changes.

[Nordes]

@uchetfield , looking now into it.

[Nordes]

@uchetfield Merged (I used the wrong number in the merge comment :(... but it is).

[Nordes]

@uchetfield : For info, the only problem I see with your solution is if we use the other flow in order to get a token (not by showing the login page). The domain is not part of the implementation in that case. So just be aware of that.