Multiple LDAP domains on the same IDP
Losen, Stephen C (scl)
scl at virginia.edu
Fri Oct 25 11:31:49 EDT 2019
Yes, JAAS is for password validation only. If you also need to use your two LDAP servers for attribute resolution then you need to configure them as DataConnectors in attribute-resolver.conf. There may be a better way, but I would define each LDAP attribute as a pair if IDP attributes, where one IDP attribute comes from LDAP #1 and the other comes from LDAP #2. Then release both IDP attributes. Since your usernames do not conflict, any particular user will only get a match on one DataConnector so only IDP attributes sourced from that Connector will be available for release.
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu 434-924-0640
From: users <users-bounces at shibboleth.net> On Behalf Of Adriano
Sent: Friday, October 25, 2019 10:11 AM
To: users at shibboleth.net
Subject: Re: Multiple LDAP domains on the same IDP
Losen, Stephen C (scl) wrote
> Hi Adriano,
> We are using JAAS with IDP Password authentication. We have three LDAP
> servers listed in JAAS for password verification. At our site the
> usernames are standard, so user X on one LDAP server is the same user
> X on the other two. However, the passwords can differ. Since your two
> LDAP servers have different naming conventions, JAAS should work fine for you.
>From what I understand JAAS replaces the username/password check (and does it for all LDAP configurations until one matches?), does it allow for the same configurations for attribute, dataconnectors, etc.?
Craig Pluchinsky wrote
> There are docs on setting up multiple directories using aggregate dn
> resolver. Maybe that's what you're looking for?
This seems to look like this:
Is the main tutorial I could find on this topic...Would that work for my "issue"?
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users