We are moving our build servers to AWS. We want to auth against our main corporate Active Directory, but our IT department will not allow direct connection to our internal DCs. They have created a new read-only DC and placed it in our DMZ for such external auth use. We are currently using this for outsourced Jira and Jive successfully. Our internal domain uses the convention "company.local" - meaning it's not compatible with external DNS. Our AWS servers define any local names in the AWS VPC via /etc/hosts, and use AWS provided DNS servers for any external names. While we can define in /etc/hosts the DMZ DC, such as dmzdc.company.local, so that resolves, it appears the active directory plugin has no method of turning off it's attempts to use DNS to obtain the domain controller. When we enter into the domain: company.local, despite the fact we try to override the server with dmzdc.company.com, we still get errors because it's not taking that as a hint DNS isn't valid, and it's still attempting to lookup a name that isn't resolvable in our cloud-deployment situation.

There's also likely an issue here related to referrers, which we experienced when attempting to integrate with outsourced Jira/Jive. Because we're part of an AD forest, any attempt to hit the DMZ DC returns referrals, which are based on internal *.company.local names which are not in external DNS we have access to. While we can override such names in /etc/hosts, they are for servers which are not reachable as they are internal and protected by firewalls. Jira has an option to turn off referrers, which allows it to work. It would be nice if the Active Directory plugin could also add this flag.

We managed to convince IT to add a read-only global catalog server exposed via SSL to this DMZ DC, as we read this does not generate referrals. We have confirmed via the ldapsearch tool that this is true, but that still did not allow the active directory plugin to work. We also tried extensively to get this to work with the LDAP plugin, but that doesn't work either.