ibexmonj
commented
6 years ago Is this possible ?
Closed ibexmonj closed 6 years ago
ibexmonj
commented
6 years ago Is this possible ?
syntruth
commented
6 years ago It should be, with something like this:
ldap_server AD1 {
url ldaps://<AD1 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
}
ldap_server AD2 {
url ldaps://<AD2 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
} And then in your server block:
server {
...
auth_ldap "Internal Content";
auth_ldap_servers AD1;
auth_ldap_servers AD2;
...
}...that's based on what I'm doing on our production servers, but in my case, it's for redundancy purposes, and not because the users are defined on separate servers. I would think, however, that if it failed on AD1, it would then try AD2.
ibexmonj
commented
6 years ago It does indeed work. It looks for user in AD1 and if not found looks in AD2.
Thanks!
Hi
I would like to expand this configuration to be able to auth against 2 separate AD domains. We have multiple internal domains where are user accounts are provisioned.
E.g.
Is this supported ?