[authad] Multiple domains but same admin_user

[fernwerker]

Regarding the closed issue (#678) I will provide a documentation for this after success.
The problem is in a configuration with multiple domains but the same admin user to query the entries:

$conf['plugin']['authad']['domain'] = '@example.com';
$conf['plugin']['authad']['recursive_groups'] = 1;
$conf['plugin']['authad']['debug'] = 1;

$conf['plugin']['authad']['account_suffix'] = '@example.com';
$conf['plugin']['authad']['base_dn'] = 'DC=example,DC=com';
$conf['plugin']['authad']['domain_controllers'] = 'ldaps://adserv01.example.com, ldaps://adserv02.example.com';
$conf['plugin']['authad']['use_tls'] = 1;
$conf['plugin']['authad']['admin_username'] = 'query';
$conf['plugin']['authad']['admin_password'] = 'mysecret';

$conf['plugin']['authad']['stud.uni-stuttgart.de']['account_suffix'] = '@others.example.com';
$conf['plugin']['authad']['stud.uni-stuttgart.de']['base_dn'] = 'DC=others,DC=example,DC=com';
$conf['plugin']['authad']['stud.uni-stuttgart.de']['domain_controllers'] = 'ldaps://adserv01.others.example.com';
$conf['plugin']['authad']['stud.uni-stuttgart.de']['use_tls'] = 1;
$conf['plugin']['authad']['admin_username'] = 'query';
$conf['plugin']['authad']['admin_password'] = 'mysecret';

The only message I can get so far is: "Bad username or password"
I already tried to add the domain to the admin_username (e.g. query@example.com in both domains) but then the AD bind fails.

Has anyone an idea on how to get this work? If I use the ADExplorer and log in with the admin_username I can query both domains.

[Klap-in]

The authad plugin has a debug config setting. Enabling this temporary gives sometimes additional debug information.

Edit: sorry, you applied it already.

[fernwerker]

As shown in my config debug is enabled.
The only message I get is:

AD Auth: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials

[Klap-in]

@splitbrain has included an dropdown for selecting a domain with #541. Maybe he can give you some suggestions or an example configuration?

Other work on multiple domains is in #141 the commit comments explains a bit, but probably not enough for configuration purposes.

[fernwerker]

Got a slight update:
Regarding the hint in the config documentation to use port 3268, rather than the default port 389 looked like a helpful way, if you have an organisation with multiple DCs under a single parent.

The only problem is that the user id is reference to the account_suffix. So if I uncomment the account_suffix, add the domain to my query-user and login with user@example.com or user@others.example.com I alwas get: Bad username or password and the page is reloading with containing only the "user" without @example.com in the login form.

Therefore the bind seems to work.
So how do I get to use the acount suffix (also to enable multiple domain support) but the parameter is not being used for the admin_username?

UPDATE: After a little bit of code searching I found out, that adLDAP seems to append the account_suffix to the admin_username. So therefore I posted an issue there: adldap/adLDAP#117

[fernwerker]

Might be fixed in current release of adldap lib. Needs to be updated in authad.

[Klap-in]

You right, there is also an issue for that, see #1553

[fernwerker]

Unfortunately I am too less of an php developer to get this done. The solution might be in adldap2 (https://github.com/Adldap2/Adldap2).
Are there any plans/ chances of including this in an upcoming update?