Select LDAP server depending on domain contacted
The idea is to be able to associate domains to LDAP servers in fusiondirectory.conf, allowing to automatically select the default LDAP server based on the domain contacted.
Actual behavior
When contacted, FD reads LDAP configuration from default LDAP server, and if HTML form login method is used, choice is given between configured LDAP servers.
Expected behavior
Being able to select default LDAP server based on domain.
Step by step description of new behaviour
- Configure several LDAP servers with domain specified, example:
<?xml version="1.0"?>
<conf>
<!-- Main section **********************************************************
The main section defines global settings, which might be overridden by
each location definition inside.
For more information about the configuration parameters, take a look at
the FusionDirectory.conf(5) manual page.
-->
<main debugLevel="0" default="ldap1" displayErrors="FALSE" forceSSL="FALSE" logging="TRUE" templateCompileDirectory="/var/spool/fusiondirectory/">
<!-- Location definition -->
<location name="ldap1" domain="fd1.example.com">
<referral URI="ldap://ldap1.example.com:389" adminDn="cn=admin,dc=example,dc=com" adminPassword="secret" base="dc=example,dc=com"/>
</location>
<location name="ldap2" domain="fd2.example.com">
<referral URI="ldap://ldap2.example.com:389" adminDn="cn=admin,dc=example,dc=com" adminPassword="secret" base="dc=example,dc=com"/>
</location>
</main>
</conf>
- Contact fd1.example.com, ldap1 is selected by default and its configuration is used for index.
- Contact fd2.example.com, ldap2 is selected by default and its configuration is used for index.
Benefits
Use only one FD installation for several LDAP instances with different user bases, without confusing users.
Possible Drawbacks
Applicable Issues
We need to double-check domain detection when reversed proxy is in use and that kind of complex configuration, but if I recall correctly we are already doing this for other features anyway.
We may want to provide a simple way to hide the LDAP selector, so that users of fd1.example.com do not know that fd2.example.com exists and vice-versa. This could be:
- A configuration option in the config file
- As soon as domain detection is used, selector is hidden?
- An option in FD in-LDAP configuration -> bad idea, because if its value is different in ldap1 and ldap2 it will cause trouble