I have a single ldap instance that provides ID for accounts across
multiple trusted kerberos realms. I don't see a way to list multiple
keberos REALMS under a single domain section. I'm guessing the only way
this scheme will work is if I locate the realm1 ldap accounts in one
container and the realm2 accounts in another container e.g.:
domains = realm1, realm2
[domain/realm1]
id_provider = ldap
ldap_uri =
ldaps://ldap.example.com
auth_provider = krb5
krb5_realm =
REALM1.COM
ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com
[domain/realm2]
id_provider = ldap
ldap_uri =
ldaps://ldap.example.com
auth_provider = krb5
krb5_realm =
REALM2.COM
ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com
Am I correct that I won't be able to place the realm1 and realm2
accounts in the same ldap_user_search_base? I was hoping I might be
able to leverage “[domain/realm1/realm2]” but it doesn't look like
krb5_realm is an option here, and that the trusted domain section
expects to find identity in separate user search bases.
Mark