>> >> I dont think these layers do what you want? >> >> What do you mean by SSO here? What protocols do you need to support? >> >> I think you'd have: >> >> Oauth2 -> Keycloak -> 389ds -> AD > > This is the plan which I will try to create. > For now I will need to change the chain to the below one. > > Oauth2 -> Keycloak -> slapd-meta and slapo-rwm -> AD Even with this setup, I'm not sure what kind of extra-data you plan to add or enrich here. As mentioned it may be considered a security / disclosure risk since openldap ACI's are not the same as AD so your meta dir may leak info. > >> OR >> >> Oauth2 -> Keycloak -> AD This is the more robust solution IMO. -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
