Shibboleth IdP v3.2.1 & LDAP+AD Authentication

Michael A Grady mgrady at
Tue May 31 13:34:19 EDT 2016

> On May 31, 2016, at 12:16 PM, IAM David Bantz <dabantz at> wrote:
> FWIW, UA has what seems a similar use case (Oracle DSEE LDAP and AD as well) except that we need to fail over to multiple instances of AD.
> David Bantz
> On Tue, May 31, 2016 at 7:25 AM, Daniel Fisher <dfisher at <mailto:dfisher at>> wrote:
> On Tue, May 31, 2016 at 11:06 AM, Marco Malavolti <marco.malavolti at <mailto:marco.malavolti at>> wrote:
> Someone of you already know a solution for this use case? What I need to do to solve this situation and authenticate the users provided by both directories?
> Can you describe your directory infrastructure? Are we talking about a single instance of OpenLDAP and a single instance of AD?
> --Daniel fisher

There are examples in the Wiki on the following page: <>

under DN resolution and Account State, of having more than one. But once you have to start replicating all that config, the advantage versus just going back to using JAAS to configure the multiple sources gets unclear. The JAAS config is simpler, but perhaps doesn't get you all the same account state options -- if you are going to use those. And it sounds like the JAAS options are going to get more flexible with 3.3 when it becomes available.

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the users mailing list