On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote: > On 03/23/2015 05:13 PM, Matt Wells wrote: > >We have two authentication domains; both on 4.X. > > > >Domain 1 - Internal and contains our employee accounts > >Domain 2 - External accounts that reside outside of our company. > >These accounts are utilized to gain access to some of our web > >resources. > > > >Is their a method to point our older app at "domain 2" IPA servers and > >forward on to internal if not found? > >As always, thanks to all who monitor and read this list. One of the best. > > > Can you please be a bit more specific. > > You have an app that is currently pointing to external servers. > How does it point to them? Using LDAP or some other way? > What kind of app it is? > Can you modify it or it is a stock software? > > Forward to the internal "if not found" what? User? > So you want for app to be able to access users from both domains > effectively, right?
That's the way I read the original question, too and if it's the case, then it's pretty much how SSSD's domains behave. so if you had in sssd.conf: domains = dom1, dom2 Then a query for a username would first look into dom2. If the user was found, it would be returned to the NSS stack and dom2 wouldn't be queried at all. If there are conflicting names, however and you want to go straight to dom2, you need to qualify the names: getent passwd user@dom2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project