LDAP Multiple User-DN or Account Filter

We have multiple login domains for our users, such as:

  • @john-doe.com
  • @john-sto.de

Is it possible to configure LDAP to support multiple domains?

Current Configuration:

  • User-DN: %s@john-doe.com
  • Account Filter: (&(objectClass=user)(sAMAccountName=%s))

Attempts (Unsuccessful):

  1. Account Filter with OR condition:
(&(objectClass=user)(|(sAMAccountName=%s@john-doe.com)(sAMAccountName=%s@john-sto.de)))
  1. Wildcard in User-DN:
User-DN: %s@*
Account Filter: (&(objectClass=user)(sAMAccountName=%s))

Do you have any suggestions or best practices for configuring LDAP to handle multiple domains for user login?

Yes, you can configure LDAP to support multiple domains for user login, but it requires a bit of a shift in how you approach the configuration. LDAP (especially when working with Microsoft Active Directory) is typically tied to a single domain context, so supporting multiple domains isn’t always as simple as just using wildcards or OR filters.
If your domains are part of the same Active Directory forest, you can also connect to the Global Catalog (typically on port 3268 or 3269 for SSL), which allows you to search across all domains in the forest using a unified LDAP query. Make sure your LDAP base is set to the forest root or an appropriate container that spans both domains.

However, if the domains are in separate forests, LDAP won’t automatically handle that. In such cases, the best practice is to configure separate LDAP connections for each domain and have your application logic determine which domain to authenticate against based on the user’s input (like their email domain). Alternatively, you can implement a proxy mechanism that tries each configured domain until a match is found.