Hi William. On Thu, 14 Apr 2022 00:51:09 +0000 William Brown <william.brown@xxxxxxxx> wrote: > > > On 13 Apr 2022, at 20:31, Alex <al-389users@xxxxxxx> wrote: > > > > Hi William. > > > > Thank you for your Answer. > > > > On Tue, 12 Apr 2022 23:38:54 +0000 > > William Brown <william.brown@xxxxxxxx> wrote: > >> > >> > >>> On 13 Apr 2022, at 04:41, Alex <al-389users@xxxxxxx> wrote: > >>> > >>> Dear List-Members. > >>> > >>> Please can you help me to find the right plugin, if there is any, in 386ds > >>> which can be used similar to the slapd-meta and slapo-rwm? > >>> > >>> https://www.openldap.org/software/man.cgi?query=slapd-meta&sektion=5&manpath=OpenLDAP+2.6-Release&format=html > >>> https://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.6-Release > >> > >> We don't have anything like slapd-meta, but we do have cos which could > >> suffice for rwm. Have a look at: > >> > >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11 > > > > With "cos" you mean "Class of Service" right, > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#Class_of_Service_Plug_in > > > > and the corresponding howto. > > https://www.port389.org/docs/389ds/howto/howto-classofservice.html > > > > Btw. the link on the howto should point to this page, IMHO. > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#Advanced_Entry_Management-Assigning_Class_of_Service > > > > > >>> What I try to achieve is to create a meta directory in front on MS Active > >>> Directory for different AD Groups and propagate this group via 386ds. > >> > >> You could use ad-sync to consume data into 389-ds, and then cos to template > >> out extra groups and data on-top? > > > > Well I don't want to store any data on DS I just want to use it as poxy and > > cache in front of AD. > > > > Can't do that sorry. Beside all the security and access control risks, we > don't have a way to "proxy" this. You have to be able to sync that data so we > can do the transforms. Thank you for clarification. > >> I think a more detailed worked example could help us to know if the advice > >> we are giving is correct :) > > > > I'm in the concept phase an try to find the right product for the customer > > which want to use a SSO solution. > > keycloak is one of the options and therefor I just wanted to know if the > > 389ds could be used somehow as proxy and mapping thing in front of keycloak. > > > > As far as I understood the architecture of 389ds it looks to me that this > > feature isn't there, right? > > I dont think these layers do what you want? > > What do you mean by SSO here? What protocols do you need to support? > > I think you'd have: > > Oauth2 -> Keycloak -> 389ds -> AD This is the plan which I will try to create. For now I will need to change the chain to the below one. Oauth2 -> Keycloak -> slapd-meta and slapo-rwm -> AD > OR > > Oauth2 -> Keycloak -> AD > > > > > >>> I have seen this plugins but I don't know the wording in 386ds therefore I > >>> hope anybody can help me to find the right wording and plugins in 386ds if > >>> this is possible. > >>> > >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#Plug_in_Implemented_Server_Functionality_Reference > >>> > >>> Thank you for any help. > >>> > >>> Regards > >>> Alex > >>> _______________________________________________ > > > >> -- > >> Sincerely, > >> > >> William Brown > >> > >> Senior Software Engineer, > >> Identity and Access Management > >> SUSE Labs, Australia > >> _______________________________________________ > > _______________________________________________ > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > > Archives: > > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > -- > Sincerely, > > William Brown > > Senior Software Engineer, > Identity and Access Management > SUSE Labs, Australia > ___________________________________ Regards Alex _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
