The Global Catalog is available by default on port 3268, 3269 for ldaps. See http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx. I think you can point to any (set of) DC(s) and be good.
You'll likely need to play with filter & searchbase to get everything even. On 10/6/14 4:40 PM, Stephen Meier wrote: > > Just knowing that it will work helps a lot. Before trying to use > LPPE, I was able to authenticate against both domains, but since the > configuration for LPPE is considerably different I didn’t have a clue > as to where to define the additional domain. > > > > The two domains are in the same AD forest and the password policy will > be the same for both. I will try to use a global catalog server to > process the users for both domains. I am not really sure how to > proceed on this. Perhaps I will go back into the documents. > > > > *From:*John Gasper [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 11:54 AM > *To:* [email protected] > *Subject:* Re: [cas-user] LPPE and multiple Domains > > > > I'll response to your question in a different angle than Misagh did... > assuming you meant multiple AD domains, like student and staff being > in different domains, but still an AD ldap. > > > There are issues with using LPPE against multiple AD domains (if the > domains are in the same forest then the global catalog ldap connection > can be used to potentially get around these limitations). The two > places that I recall there being issues are if the urls to the self > service password change application are different. LPPE gives you a > single URL to configure. If each domain has it own self service > password (re)set application then there is an issue. > > The other is that the password expiration warning only works for a > single domain. The reason is that AD doesn't actually have a user > attribute that defines when a password expires. It is calculated based > on when the password was last set and a value in the Group Policy. > Upon successful authentication, the login-webflow.xml calculates when > the expiration is due and presents a warning view to the user. The > calculation doesn't know which authN source authenticated the user and > will just use whichever one it is connected to in the lppe > configuration. So if a username exists in both domains, then things > get interesting depending upon the status of the account in both domains. > > States/messages like locked account, must change password upon next > login, bad workstation (if anyone actually uses it), etc should work > fine with multiple domains because the status is returned when the > authn is tested against the ldap. > > I hope that helps. > > John > > On 10/6/14 11:02 AM, Misagh Moayyed wrote: > > For the most part, yes. It’s merely tested against AD, but I know > we have gotten it to work with OpenLdap as well with some mods. It > really depends on your LDAP schema and what it’s going to report > back. At best, I think it’s safe to say that non-AD deployments of > LPPE with 3.5.2 do require mods to CAS and that portion that > handles that stuff. > > > > *From:* Stephen Meier [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 10:12 AM > *To:* [email protected] <mailto:[email protected]> > *Subject:* [cas-user] LPPE and multiple Domains > > > > Good morning All, > > > > I am trying to implement LPPE for CAS 3.5.2. It looks like if you > want to use LPPE, you can only use one AD domain. Is this the > case? I have been looking around and not finding much in terms of > how to do this. > > > > Regards, > > > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
