Well, I guess I’ve found a solution.The side effect of this approach that we force AD authentication not only for admins but for all users. But in my case this is actually an additional profit.
- We have a local admin in the database.
- Create an AD/LDAP service. Let it have “myldap” name.
- We create another admin with username like <admin_name>+<service_name>@<ldap_DC>. Having my ldap service Base DN param configured as “DC=demo,DC=local” and having LDAP user “test”, my admin gets “email@example.com” username. If you want, you can change the actual email manually in the DB.
- Here we need some PHP coding. We restrict logins without “service” request parameter attaching an event handler for DreamFactory\Core\Events\ResourcePreProcess event. We can do that in app/Providers/EventServiceProvider.php. The event handler will check whether request matches /user/session/ and contains “service parameter”. If not the latter it willl throw exception.
- Logout from DF. And relogin as the admin we just created, selecting an appropriate LDAP service.
- Remove local admin.
Looks like this works fine. Does anyone has any concerns on this approach? @benbusse , may be %)?