Multiple Domain Configuration
Configuring PAM to enable Logins from Multiple Domains.
PAM supports the ability to integrate with multiple domains (AD and LDAP) in order to provide login and authentication services for the application.
If you have not integrated with AD yet, please first review our AD Integration article first.
AD or LDAP connections
To configure additional AD or LDAP connections in PAM:
- Login to the server where PAM is deployed as an Administrator.
- Open a command line and navigate to the folder where PAM is installed ($PAM_HOME) and issue the following command:
- For Windows, substitute the below placeholders with your connection information and then issue the command:
-
{ldap.name} which is used by PAM as an internal reference.
-
{ldap.server} which is your server name.
-
{ldap.user} which is your ldap user. Use the format user@domain.com
-
{ldap.password} which is the password for your user.
Copybin\PamDirectory.cmd LdapConnect web {ldap.name} {ldap.server} {ldap.user} {ldap.password}
- For Unix or Linux, substitute the below placeholders with your connection information and then issue the command:
-
{ldap.name} which is used by PAM as an internal reference.
-
{ldap.server} which is your server name.
-
{ldap.user} which is your ldap user. Use the format user@domain.com
-
{ldap.password} which is the password for your user.
Copybin/PamDirectory.sh LdapConnect web {ldap.name} {ldap.server} {ldap.user} {ldap.password}
-
If the command returns an OK response, then the connection has been made. You may add another connection following this same procedure. If the command returns a Fail response, then double check your user and password values. For the {ldap.user} value, be sure to use the user@domain format.
-
Once all the connections have been created successfully, please restart the service by issuing the following command:
-
Multi-domin AD or LDAP integration is now complete. Objects and permissions may now be shared with these additional AD Users and Groups in PAM.
Please note if your password contains any of the following characters & \ < > ^ | then they must be properly escaped when executing the command by placing a ^ before each like this for ampersand ^&. Alternatively, you can issue the command using a dash – rather than the password in which case you will be prompted to enter the password during execution and in this approach, those special characters do not have to be escaped.
bin\PamDirectory.cmd LdapConnect web {ldap.name} {ldap.server} {ldap.user} -
bin/PamDirectory.sh LdapConnect web {ldap.name} {ldap.server} {ldap.user} -
AD/LDAP user accounts can be added toPAM Local Groups which helps provide a single group that contains membership of multiple domain accounts.
Disabling
To Disable an Existing Connection:
- Login to the server where PAM is deployed as an Administrator.
- Open a command line and navigate to the folder where PAM is installed ($PAM_HOME) and issue the following command:
-
For Windows, substitute your {ldap.name} which was supplied when creating the initial connection and issue:
Copybin\PamDirectory.cmd LdapConnect web {ldap.name} DISABLE
-
For Unix or Linux, substitute your {ldap.name} which was supplied when creating the initial connection and issue:
Copybin/PamDirectory.sh LdapConnect web {ldap.name} DISABLE
- When successfully disabled, the command will return an OK response.