Multiple Domain Configuration

Configuring PAM to enable Logins from Multiple Domains.

PAM supports the ability to integrate with multiple domains (AD and LDAP) in order to provide login and authentication services for the application.

If you have not integrated with AD yet, please first review our AD Integration article first.

AD or LDAP connections

To configure additional AD or LDAP connections in PAM:

  1. Login to the server where PAM is deployed as an Administrator.
  2. Open a command line and navigate to the folder where PAM is installed ($PAM_HOME) and issue the following command:
      1. For Windows, substitute the below placeholders with your connection information and then issue the command:

        • {ldap.name} which is used by PAM as an internal reference.

        • {ldap.server} which is your server name.

        • {ldap.user} which is your ldap user. Use the format user@domain.com

        • {ldap.password} which is the password for your user.

          Copy 
          bin\PamDirectory.cmd LdapConnect web {ldap.name} {ldap.server} {ldap.user} {ldap.password}

         

      2. For Unix or Linux, substitute the below placeholders with your connection information and then issue the command:

        • {ldap.name} which is used by PAM as an internal reference.

        • {ldap.server} which is your server name.

        • {ldap.user} which is your ldap user. Use the format user@domain.com

        • {ldap.password} which is the password for your user.

          Copy
          bin/PamDirectory.sh LdapConnect web {ldap.name} {ldap.server} {ldap.user} {ldap.password}

     

    Please note if your password contains any of the following characters & \ < > ^ | then they must be properly escaped when executing the command by placing a ^ before each like this for ampersand ^&. Alternatively, you can issue the command using a dash – rather than the password in which case you will be prompted to enter the password during execution and in this approach, those special characters do not have to be escaped.

    Copy 
    bin\PamDirectory.cmd LdapConnect web {ldap.name} {ldap.server} {ldap.user} -
    Copy 
    bin/PamDirectory.sh LdapConnect web {ldap.name} {ldap.server} {ldap.user} -

  3. If the command returns an OK response, then the connection has been made. You may add another connection following this same procedure. If the command returns a Fail response, then double check your user and password values. For the {ldap.user} value, be sure to use the user@domain format.

  4. Once all the connections have been created successfully, please restart the service by issuing the following command:

    1. For Windows:

      2. Copy 
      net stop PamManagement
      net start PamManagement

    2. For Unix or Linux:

      Copy 
      service pammanager restart

  5. Multi-domin AD or LDAP integration is now complete. Objects and permissions may now be shared with these additional AD Users and Groups in PAM.

AD/LDAP user accounts can be added toPAM Local Groups which helps provide a single group that contains membership of multiple domain accounts.

Disabling

To Disable an Existing Connection:

  1. Login to the server where PAM is deployed as an Administrator.
  2. Open a command line and navigate to the folder where PAM is installed ($PAM_HOME) and issue the following command:

    1. For Windows, substitute your {ldap.name} which was supplied when creating the initial connection and issue:

      Copy 
      bin\PamDirectory.cmd LdapConnect web {ldap.name} DISABLE

    2. For Unix or Linux, substitute your {ldap.name} which was supplied when creating the initial connection and issue:

      Copy 
      bin/PamDirectory.sh LdapConnect web {ldap.name} DISABLE
  3. When successfully disabled, the command will return an OK response.

Troubleshooting

Unable to Connect to AD services due to a PKIX Path Building Failure when configuring multiple AD servers behind a Load Balancer