Multiple LDAP domains on the same IDP

Fri Oct 25 09:36:15 EDT 2019

There are docs on setting up multiple directories using aggregate dn resolver.  Maybe that's what you're looking for?

https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration#LDAPAuthnConfiguration-MultipleDirectories

-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Adriano <Adriano.Dalessio at avasad.ch>
Sent: Friday, October 25, 2019 8:37 AM
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: Multiple LDAP domains on the same IDP

Peter Schober wrote
> The main criterion should be (and I'm not sure your above liste was
> intended to specify this or not) whether userids are either guaranteed
> to be mutually exclusive to each domain, or -- where the same userid
> may exist in both domains -- that at least it represents the same
> person (though that may still cause issues with differing passwords
> for the two accounts).

Both domains are completly separated. Users from one domain can't be in the
second one (as in, they can't be the same "physical" person). As for the
actual value of the nameid, the domains have different naming conventions
which makes it impossible to have the same value from one domain to another.

Peter Schober wrote
> There's also the question of multiple MS-AD domains in a "forest" (?)
> where you can authenticate accounts in multiple domains using a single
> LDAP configuration. But I know nothing about MS.

Both domains are built the same: one forest with a unique domain. So
different LDAP configuration required, I suppose.

We tried to find documentations about configuration for multiple domains but
had no luck so far. From the infos we could gather, we need to:

-duplicate the ldap.properties file and reference them in the idp.properties
file (done)
-Change value according the domains informations (ldap1.properties and
ldap2.properties) (done)

The rest of the configuration seems to be in the ldap-authn-config.xml file,
but i haven't seen anything precise for this part... So far ldap2.properties
seems to be processed by Shibboleth (and ldap1.properties is ignored or
overriden).

--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191025/e230d961/attachment.html>