Closed ibexmonj closed 6 years ago
Is this possible ?
It should be, with something like this:
ldap_server AD1 {
url ldaps://<AD1 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
}
ldap_server AD2 {
url ldaps://<AD2 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
binddn "binddn_user";
binddn_passwd 'bind_passwd';
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
satisfy any;
}
And then in your server
block:
server {
...
auth_ldap "Internal Content";
auth_ldap_servers AD1;
auth_ldap_servers AD2;
...
}
...that's based on what I'm doing on our production servers, but in my case, it's for redundancy purposes, and not because the users are defined on separate servers. I would think, however, that if it failed on AD1, it would then try AD2.
It does indeed work. It looks for user in AD1 and if not found looks in AD2.
Thanks!
Hi
I would like to expand this configuration to be able to auth against 2 separate AD domains. We have multiple internal domains where are user accounts are provisioned.
E.g.
Is this supported ?