I got a requirement that PI should authenticate AD users without typing a realm when logging in to client VPN. It works fine when putting the according LDAP resolver to a realm (mycompany) which lists all users of the company and make it default.
Now I got another requirement that different regional IT departments should only be able to roll out token of users they are responsible for (a part of the realm mycompany).
e.g. admin realm @it-frankfurt → access to AD group “frankfurt users” as a sub-part of the default LDAP group “mycompany” only.
I played around with an admin policy where I put the it-frankfurt realm as an admin realm (added “it-frankfurt” to SUPERUSER_REALM) and tried to limit the users by a new resolver which lists the USA users only. It didn’t work obviously.
It there a way to do this?
Thanks in advance.