Multiple LDAP domains on the same IDP

Losen, Stephen C (scl) scl at
Fri Oct 25 11:31:49 EDT 2019

Hi Adriano,

Yes, JAAS is for password validation only. If you also need to use your two LDAP servers for attribute resolution then you need to configure them as DataConnectors in attribute-resolver.conf. There may be a better way, but I would define each LDAP attribute as a pair if IDP attributes, where one IDP attribute comes from LDAP #1 and the other comes from LDAP #2. Then release both IDP attributes. Since your usernames do not conflict, any particular user will only get a match on one DataConnector so only IDP attributes sourced from that Connector will be available for release.

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users <users-bounces at> On Behalf Of Adriano
Sent: Friday, October 25, 2019 10:11 AM
To: users at
Subject: Re: Multiple LDAP domains on the same IDP

Losen, Stephen C (scl) wrote
> Hi Adriano,
> We are using JAAS with IDP Password authentication. We have three LDAP 
> servers listed in JAAS for password verification. At our site the 
> usernames are standard, so user X on one LDAP server is the same user 
> X on the other two. However, the passwords can differ. Since your two 
> LDAP servers have different naming conventions, JAAS should work fine for you.

>From what I understand JAAS replaces the username/password check (and does it for all LDAP configurations until one matches?), does it allow for the same configurations for attribute, dataconnectors, etc.?

Craig Pluchinsky wrote
> There are docs on setting up multiple directories using aggregate dn 
> resolver.  Maybe that's what you're looking for?
> ation#LDAPAuthnConfiguration-MultipleDirectories

This seems to look like this: 
tutorial (github)
Is the main tutorial I could find on this topic...Would that work for my "issue"?

Sent from:
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list