This is fine for now but the issue is that in the future other groups from the Root forest will need to be able to connect to our elastic instance. Is it possible to provide mutiple base_dn values? for example:
Can you explain (in more detail) what issues you were running into without your previous setup?
We _could_ implement multiple base DNs, but it would be very inefficient as we would need to search each base independently, and in the end it would be not much different than simply configuring multiple realms.
If you're going to have multiple `DC=Child*` that you need to search, then the best solution will be to get it working with the `DC=Root` DN, and work through whatever problems you ran into.
working with the `DC=Root` for some reason will not authenticate any of the children DCs. The error I recieve is that the user is not found in the ldap cache. I read by default sub_tree searches are performed. So I assumed that it should be fine. On another application I setup ldap using user filters and group filters. Though these filters I applied using: `(&(bjectClass=group(|(distingiushedName=CN=GROUPNAME1,OU=Universal Groups, OU=Accounts, DC=Root,DC=COMPANY,DC=COM)(distingiushedName=CN=GROUPNAME2,OU=Universal Groups, OU=Accounts, DC=Root,DC=COMPANY,DC=COM)` When I provided the same thing user_search.filters I would get complaints at authentication that ldap would find multiple results.
Another thing is with this other application I was able to set a paging limit, this helped with searching. I don't know if elastic offers the same configuration.
If you can provide specifics (by which I mean copy-and-paste your configuration and the exact error messages) then I'm happy to help work through it and get this working, but the description you've provided isn't clear enough to be able to give you any concrete advice.
A subtree search is exactly what you want.
If you have duplicate users in the tree, then that will be a problem, as we need to know which user to authenticate. We might be able to resolve that with a filter, but I would need to see the exact details.