kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
739 stars 253 forks source link

auth to multiple AD domains #196

Closed ibexmonj closed 6 years ago

ibexmonj commented 6 years ago

Hi

   I have this module configured and running fine with 1 of our domains.

I would like to expand this configuration to be able to auth against 2 separate AD domains. We have multiple internal domains where are user accounts are provisioned.

E.g.

Is this supported ?

ibexmonj commented 6 years ago

Is this possible ?

syntruth commented 6 years ago

It should be, with something like this:

  ldap_server AD1 {                                                                     
    url ldaps://<AD1 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
    binddn "binddn_user";                                                            
    binddn_passwd 'bind_passwd';                                                           
    group_attribute uniquemember;                                                         
    group_attribute_is_dn on;                                                             
    require valid_user;                                                         
    satisfy any;                                                                
  }                                                                             

  ldap_server AD2 {                                                           
    url ldaps://<AD2 SERVER INFO HERE>?sAMAccountName?sub?(objectClass=person);
    binddn "binddn_user";                                                  
    binddn_passwd 'bind_passwd';                                                 
    group_attribute uniquemember;                                               
    group_attribute_is_dn on;                                                   
    require valid_user;                                                         
    satisfy any;                                                                
  }                                                                             

And then in your server block:

server {
  ...

  auth_ldap "Internal Content";
  auth_ldap_servers AD1;
  auth_ldap_servers AD2;

  ...
}

...that's based on what I'm doing on our production servers, but in my case, it's for redundancy purposes, and not because the users are defined on separate servers. I would think, however, that if it failed on AD1, it would then try AD2.

ibexmonj commented 6 years ago

It does indeed work. It looks for user in AD1 and if not found looks in AD2.

Thanks!