I'll response to your question in a different angle than Misagh did... assuming you meant multiple AD domains, like student and staff being in different domains, but still an AD ldap.
There are issues with using LPPE against multiple AD domains (if the domains are in the same forest then the global catalog ldap connection can be used to potentially get around these limitations). The two places that I recall there being issues are if the urls to the self service password change application are different. LPPE gives you a single URL to configure. If each domain has it own self service password (re)set application then there is an issue. The other is that the password expiration warning only works for a single domain. The reason is that AD doesn't actually have a user attribute that defines when a password expires. It is calculated based on when the password was last set and a value in the Group Policy. Upon successful authentication, the login-webflow.xml calculates when the expiration is due and presents a warning view to the user. The calculation doesn't know which authN source authenticated the user and will just use whichever one it is connected to in the lppe configuration. So if a username exists in both domains, then things get interesting depending upon the status of the account in both domains. States/messages like locked account, must change password upon next login, bad workstation (if anyone actually uses it), etc should work fine with multiple domains because the status is returned when the authn is tested against the ldap. I hope that helps. John On 10/6/14 11:02 AM, Misagh Moayyed wrote: > > For the most part, yes. It’s merely tested against AD, but I know we > have gotten it to work with OpenLdap as well with some mods. It really > depends on your LDAP schema and what it’s going to report back. At > best, I think it’s safe to say that non-AD deployments of LPPE with > 3.5.2 do require mods to CAS and that portion that handles that stuff. > > > > *From:* Stephen Meier [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 10:12 AM > *To:* [email protected] > *Subject:* [cas-user] LPPE and multiple Domains > > > > Good morning All, > > > > I am trying to implement LPPE for CAS 3.5.2. It looks like if you > want to use LPPE, you can only use one AD domain. Is this the case? > I have been looking around and not finding much in terms of how to do > this. > > > > Regards, > > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
