Skip to main content
Robin_Svanberg
Robin_Svanberg
New Member
June 29, 2016
Solved

SSLVPN: Filter for LDAP server based on username?

  • June 29, 2016
  • 1 reply
  • 3805 views

Hi,

 

we have been running different VDOMS for handling different SSLVPN for some customers, with LDAP to their own AD.

Would like to get rid of these VDOMS and use one VDOM for all customers but with different portals.

 

There´s two drawback with this that I´m aware of and that is that you can´t have different domain suffixes and the other one is the seperation of, in our case, LDAP servers.

 

We can live with the domain suffix "issue" but is it possible to filter which LDAP server that will be used based on the username? For example, if we would use firstname@domain1.com it would use LDAPServer1 and if the username is firstname@domain2.com use LDAPServer2? I haven´t seen this possibility but without it we can´t change the design since the customers LDAP servers will log and try the credentials for the "wrong domain".

 

Best Regards

    Best answer by Carl_Wallmark

    Hi Robin,

     

    I understand the problem, and without testing, I think you can make it work if you use "Realms".

     

    You have:

    Customer1

    Customer2

     

    Customer1:

    They would login with https://your_fqdn.com/Customer1

     

    Customer2:

    They would login with https://your_fqdn.com/Customer2

     

    You can use different groups to different realms, so you would use the login url to seperate the different customers.

    1 reply

    Carl_Wallmark
    Carl_WallmarkAnswer
    New Member
    June 29, 2016

    Hi Robin,

     

    I understand the problem, and without testing, I think you can make it work if you use "Realms".

     

    You have:

    Customer1

    Customer2

     

    Customer1:

    They would login with https://your_fqdn.com/Customer1

     

    Customer2:

    They would login with https://your_fqdn.com/Customer2

     

    You can use different groups to different realms, so you would use the login url to seperate the different customers.

    Robin_Svanberg
    Robin_SvanbergAuthor
    New Member
    June 29, 2016

    Selective wrote:

    Hi Robin,

     

    I understand the problem, and without testing, I think you can make it work if you use "Realms".

     

    You have:

    Customer1

    Customer2

     

    Customer1:

    They would login with https://your_fqdn.com/Customer1

     

    Customer2:

    They would login with https://your_fqdn.com/Customer2

     

    You can use different groups to different realms, so you would use the login url to seperate the different customers.

     

    Wasn´t aware of that feature, looks good. Best option would have been the filter based on username/mailadress but realms was not that bad :) Thanks!

     

    You don´t know any solution to use different domain suffixes based on realms or portals?

    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 29, 2016

    Unfortunately you cannot set a dns suffix per portal.

    I actually requested that a long time ago, but it´s not implemented yet.

    With that said,

     

    You can add more dns suffixes to the configuration like this:

     

    set dns-suffix "customer1.org customer2.se customer3.com"

     

    key length is 255 charactes, domains must be seperated with a space.

    Downside is that all customers will have all suffixes when they are conncted.

     

    BUT, if the computer is a member of the active directory domain, the dns suffix would not be needed as the computer adds the suffix by itself.

    and you can add different DNS servers per portal, so maybe you can work around it ?

    Terms & ConditionsAccessibility statement