Re: 389ds External LDAP Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, May 4, 2022 at 2:05 PM parimala nitesh <parimalanitesh@xxxxxxxxx> wrote:
Hi Pierri,

Thank you Pierri for the response.
My queries are inline

[1]If you can set up replication between the two LDAP server instances
then the data will be available on both instances.

What if the users are getting added on external LDAP. Then i've to replicate it again?

No Replication keeps the data in sync.
   That said I am not sure whether we can replicate from Open LDAP towards 389DS. 
 

[2]If server2 suffix is different from server1 suffix, then you could use
chaining.
(so that request to Server1 get forwarded to request2)

Can i get any documentation link for this chaining(If user1 belongs to ldapserver and ext_user is user for external_ldap. What happens if user1 is requesting will it go to external_ldap to get authenticated ?)
Here is some Chaining documentation:   https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links
To answer your question:
    For chaining to work properly you must organize your DIT such a way that entries belongs on different backend So the DIT will looks like
        uid=user1,ou=users,ou=local data,dc=domain,dc=com 
        uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com 
        uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com 

So a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com  will be send toward open ldap
a bind on  uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com  will be sent on AD

But a subtree search on dc=domain,dc=com will be sent on the 3 LDAP servers 



[3] using the Pass Through Authentication plugin (In that case only the
bind requests will be forwarded. But that may not be enough depending how
exactly the application is checking the ldap authentication)

I see that Openldap proxy option isn't there 389ds. Is there any other pass through autentication plugin. if you can you please share a link by which i can implement this option.

I will let the Open ldap expert answer this one ! -;) 

Regards
  Pierre
   


Thank you
Parimala Nitesh
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


--
--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux