> On 5 May 2022, at 13:14, parimala nitesh <parimalanitesh@xxxxxxxxx> wrote: > > Apologies for creating confusion. > > My Problem statement: > I've a Server1 on which I've installed 389ds lets call it out as internal_ldap. I've installed Openstack on the same server and I'm integrating this internal_ldap as my ldap backend to Openstack Keystone(https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html) by which all the users of the ldap can use the Openstack. > I've an external_ldap(can be 389ds or openldap or any AD) on Server2. Now i've to integrate this external ldap also to my Openstack Keystone. > > As my internal_ldap is already integrated with Openstack Keystone, if i can integrate both internal_ldap and external_ldap, then i thought users of external_ldap also also use Openstack. > > So by integrating internal_ldap and external_ldap i think i can solve my problem Right, that helps a lot. Okay, so there are a few ways you could do this. 389-ds doesn't have a "proxy" mode as you would know from openldap. It has pam-passthru authentication which allows you to create "stub" entries on 389-ds, then pass-back to the external ldap to do the validation of the credentials. Another option is if your external is AD, you could do an ad-sync to pull the users/accounts from AD into 389, and then pam pass through to get to the external backend for auth. We do have chaining db, but i don't know if this is really what you want in this case, but it could be worth a look. Finally, you could write something to manually do the sync. Does that give you some ideas of things to look into? > > Regards > Nitesh > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
