Multiple AD Domains

im looking into Passbolt for distributing passwords in a big company. I would like to connect to the AD, but our users a spread over multiple domains. Is possible to connect an instance of Passbolt to multiple domains?

Subscription levels offer AD connection, but are you asking about that or how to make the site installation “appear” to be from the user’s native domain? If the second, something like a rewrite feature while listening to multiple domain requests might work on the web server config level.

I know that the AD feature is part of the subscription and I looked at it in the demo.
My problem is that we have multiple domains and the way I see the interface is that I can only connect to one domain. I don’t know much about AD (and passbolt at this point), but I need to sync to two diffrent domains at once.
Is this possible?
Ether directly in passbolt or through some AD trickery?

@AUser As far as I know it is possible to setup multiple domains using manual configuration in the LDAP config file. However this is to be used as a fallback mechanism when one domain is not available, e.g. you will have a default domain and some alternatives in case something goes wrong.

I would expect you would need to federate your active directory first so that there is a consistent source of truth. I don’t think it should be passbolt responsibility to define the behavior for example when a user/group/groupmembeship is in one AD and not the other.

We have divided the AD in different domains based on geographical regions, so unification won’t happen. A colleague brought up that all relevant people may have an user in yet another domain so I think my best bet would be looking into this solution.
Thanks for your help.

Is there a documentation on the manuel AD configuration?


 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SARL (
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 * @copyright     Copyright (c) Passbolt SARL (
 * @license AGPL License
 * @link Passbolt(tm)
 * @since         2.0.0

 * This is the default configuration file to synchronize passbolt with your ldap server.
 * To activate LDAP sync, copy / paste this file into ldap.php and
 * modify the configuration options to match your config.
 * For more information:
return [
    'passbolt' => [
        'plugins' => [
            'directorySync' => [
                // The admin user that will perform operations for the directory.
                'defaultUser' => '',

                // The default admin is the group manager that will be assigned to a newly created group.
                // If not specified, the first admin user found will be used.
                'defaultGroupAdminUser' => '',

                // Will list only users that are part of the given parent group (recursively).
                // 'usersParentGroup' => 'groupName',

                // Will list only groups that are part of the given parent group (recursively).
                // 'groupsParentGroup' => 'groupName',

                // Will return enabled users only. (only available in case of active directory).
                'enabledUsersOnly' => false,

                // Define whether the email should be built from a prefix / suffix (to activate only if the email is not provided by default by the directory).
                'useEmailPrefixSuffix' => false,

                // Email prefix. Enter the directory attribute that should be used as a prefix. (final email will be concat(prefix, suffix)
                //'emailPrefix' => 'fieldName',

                // Email suffix. It should be the domain name of your organization.
                //'emailSuffix' => '',

                // 'fieldsMapping' => [
                //      // Override the mapping here.
                //      // Needed mainly if using openldap.
                //      // Keep commented or empty if default rules work fine.
                // ],
                // Group Object Class. Only used if the server type is openldap.
                // 'groupObjectClass' => 'posixGroup',
                // User Object Class. Only used if the server type is openldap.
                // 'userObjectClass' => 'inetOrgPerson',
                // Group path is used in addition to base_dn while searching groups.
                // 'groupPath' => '',
                // User path is used in addition to base_dn while searching users.
                // 'userPath' => '',
                // Optional: disable one or more sync tasks
                // 'jobs' => [
                //    'users' => [
                //        'create' => true,
                //        'delete' => true,
                //     ],
                //    'groups' => [
                //        'create' => true,
                //        // update is used for adding users as group members.
                //        'update' => true,
                //        'delete' => true,
                //     ],
                'ldap' => [
                    //'general' => [
                    // Optional: When using the LdapManager and there are multiple domains configured,
                    // the following domain will be selected first by default for any operations.
                    //'default_domain' => '',

                    // Optional: The format that the schema is in. Default: yml
                    //'schema_format' => 'yml',

                    // Optional: The location to use when loading schema files.
                    //'schema_folder' => '/var/www/project/resources/schema',

                    // The cache type to use. Either 'stash', 'doctrine', or 'none'. Default: none
                    //'cache_type' => 'none',

                    // Optional: These are variable settings for the cache type in use.
                    //'cache_options' => [
                    // Type: stash, doctrine
                    // Optional: The location to cache generated schema data. Default: The systems temporary directory.
                    //'cache_folder' => '/tmp/projectCache',
                    // Type: stash
                    // Optional: Whether the cache should auto-refresh based on mod times.
                    // This is enabled by default with stash. However, the doctrine type does not support it.
                    //'cache_auto_refresh' => false,
                    'domains' => [
                        // At least one domain is required.
                        'example' => [
                            // Required: The full domain name.
                            'domain_name' => '',

                            // Required: The user to use for binding to LDAP and subsequent operations for the connection.
                            'username' => 'user',

                            // Required: The password for the user binding to LDAP.
                            'password' => '12345',

                            // Recommended: The base DN (default naming context) for the domain.
                            // If this is empty then it will be queried from the RootDSE.
                            'base_dn' => 'dc=example,dc=com',

                            // Recommended: One or more LDAP servers to connect to.
                            // If this is empty then it will query DNS for a list of LDAP servers for the domain.
                            'servers' => ['example1'],

                            // Optional: Whether or not to talk to LDAP over TLS. Default: false
                            // If this is set to false, certain operations will not work. Such as password changes.
                            'use_tls' => false,

                            // Optional: Whether or not to talk to LDAP over SSL. Default: false
                            //'use_ssl' => false,

                            // Optional: The port to communicate to the LDAP servers on. If not set, default is 389
                            // If this is not set and 'use_ssl' is specified, the the port will be set to 636.
                            'port' => 389,

                            // Optional: Whether or not paging should be used for query operations. Default: true
                            //'use_paging' => true,

                            // Optional: The page size to use for paging operations, such as searches. Default: 1000
                            //'page_size' => 1000,

                            // Optional: The LDAP type for this domain: ad, openldap. Default: ad
                            //'ldap_type' => 'openldap',

                            // Optional: Whether the connection should wait to bind until necessary (true) or bind
                            // immediately on construction (false). Default: false
                            //'lazy_bind' => false,

                            // Optional: When more than one server is listed for a domain, choose which one is
                            // selected for the connection. The possible choices are: order (tried in the order they
                            // appear), random. Default: order
                            //'server_selection' => 'order',

                            // Optional: The encoding type to use. Default: UTF-8
                            //'encoding' => 'UTF-8',

                            // Optional: The format that the username should be in when binding. This allows for
                            // two possible placeholders: %username% and %domainname%. The domain name parameter
                            // is the FQDN. Default: For AD the default is "%username%@%domainname%", for OpenLDAP it
                            // is simply "%username%". But you could easily make it something
                            // like "CN=%username%,OU=Users,DC=example,DC=local".
                            //'bind_format' => '%username%',

                            // Optional: The LDAP_OPT_* constants to use when connecting to LDAP.
                            // Default: Sets the protocol version to 3 and disables referrals.
                            //'ldap_options' => [
                            //    'ldap_opt_protocol_version' => 3,
                            //    'ldap_opt_referrals' => 0,

                            // Optional: The elapsed time a connection can be idle before it is closed and reconnected.
                            // Default: 600. To disable this altogether set it to 0.
                            //'idle_reconnect' => 600,

                            // Optional: The elapsed time (in seconds) to attempt the initial connection to the LDAP server.
                            // If it cannot establish a connection within this time it will consider the server
                            // unreachable/down. Default: 1
                            //'connect_timeout' => 5,