Enterprise LDAP connection only works alone

Hi there,

We’re having an issue with combining the AD/LDAP Connector with the Auth0 DB.
In the setup seen below I’d expect that any auth attempt will be performed against the DB and then the LDAP connector, but trying to login with my LDAP credentials will always fail in this configuration.

Only if I disable the DB the LDAP connector will work and I can login using my LDAP credentials.

Could this be caused by wrong configuration or is this an Auth0 issue?

Hi @sascha.herzinger,

You can use more than one user directory for an application, and use Home Realm Discovery:

1 Like

Thank you very much @andy.carter

So I understand it right, that the default behavior isn’t to try all available databases?

From the link you provided I understand that I need to implement my own connectionResolver, which would then manually map the domain @myCompany.com to LDAP. Does that sound correct?

Hello again,

https://github.com/auth0/lock#other-options states that

" This only works for database connections. "

We have a LDAP connector, so does that mean in our case we cannot use connectionResolver but only rely on mapping domains to connections?

That’s correct. connectionResolver only works for DB connections. For enterprise connections you can include the associated domain names in the configuration of the connection, which will cause that connection to trigger when Auth0 sees someone logging in with am email address from that domain. Alternatively, you can include the connection= parameter in the call to /authorize, bypassing Universal Login and going directly to the specified connection.

1 Like

Thank you very much your response @markd

In that case my next question would be, what to do if domain mapping is not an option?
The users from the LDAP connection do not have domains, so how would I use the enterprise connection and the Auth0 DB at the same time (as shown above) ?

Neither the classic nor the new login interface seem to include buttons for selecting the enterprise connection.

This old issue from 2017 https://github.com/auth0/lock/issues/797 seems to suggest that it wasn’t possible to manually add this button either.

In this case you may want to set the LDAP directory up as a custom database instead of using the AD/LDAP enterprise connection, and then you can use connectionResolver if that suits your needs.

1 Like

FWIW, we have our LDAP directory connected as a custom DB and it works great. A few lines of javascript and you are good to go. In our case we are using this to migrate our users from the LDAP directory to Auth0, but you don’t need to do that if you want to leave the users where they are.

Thank you, I really appreciate the answers!
Need to spend some time with this and check how this works with our setup. I am not sure if our LDAP directory is reachable from the outside, so that might be an issue. But lets see.

It would be great if the login/lock app would be a bit more clever when it comes to this connection, however. There is an official AD/LDAP connector application after all, so I’m surprised that the the login/lock app logic is so limited.