Most people configure PAM and NSS ldap modules to point to ldap servers that handles a single search base as defined in pam_ldap.conf or libnss-ldap.conf. The man pages do not describe any option to specify multiple bases.
Is it possible to configure a Linux system to use more than one base that are handled by different ldap servers, so that if a user is not found in the first domain, the system searches for the user in the next one, and keeps trying each different base until it finds the user or until it has exhausted all of them?
The case scenario that I'm working on is that I have a local LDAP server I set up serving base dc=yyyy and I've got a separate ldap directory I set up in jumpcloud with base ou=Users,o=<orgid>,dc=jumpcloud,dc=com. This directory has different set of users from the first. When a user logs in, I'd like the system to search first the local ldap directory; if it doesn't find the user there I'd like it to authenticate against the jumpcloud directory.
0 Answers