Forum Discussion
Luca_55898
Nimbostratus
NimbostratusAPM - LDAP Authenticaion multiple domains
Hi,
We have an LTM using the APM module for our Outlook Web Access service.
We have users from numerous AD domains who need to authenticate. In the visual policy editior i created an L...
Wim_Vermoens_98Nimbostratus
NimbostratusHi all
I resolved this issue by doing first an LDAP query to first specific domain. in a form like this. this also resolves the problem that you cannot have both UPN and pre-windows 2000 logons. In our case you now can logon with the both logon forms, AND for multiple domains
Logon Page -> Fallback -> Variable assign (Custom Variable: session.custom.last.username = Session Variable session.logon.last.username) -> Fallback -> (macro Domain 1) -> LDAP Query to first domain (|(UserPrincipalName=%{session.custom.last.username}@%{session.logon.last.domain})(sAMAccountName=%{session.custom.last.username}))
-> Variable Assign session.logon.last.username = LDAP attribute name sAMAccountName Expression on branch 1: expr { [mcget {session.logon.last.username}] equals "" }
So if this variable assign sets the value of session.logon.last.username to "" we will not continue to AD Auth, but we will flow into the next macro for the second domain. This is how we know that the query failed to the first domain.
Branch 1 -> Failure -> Macro Domain 2) -> repeat same steps for domain 2 Fallback -> AD Auth -> Succesfull -> Allow ending -> Fallback -> Deny ending
So the only extra thing you need to setup is an extra (per domain) AAA pool from the LDAP type.