Hi Pierre Rogier, I've tried to follow this document for pass through authentication https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links For that i've create two 389ds ldap servers i've created ldap1 with ldap1.inf # ldap1.inf [general] config_version = 2 [slapd] self_sign_cert = False instance_name = ldap1 port = 1389 # root_dn (str) # Description: Sets the Distinquished Name (DN) of the administrator account for this instance. # Default value: cn=Directory Manager root_dn = cn=ldap2 # root_password (str) # Description: Sets the password of the account specified in the "root_dn" parameter. You can either set this parameter # to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. # Note that setting a plain text password can be a security risk if unprivileged users can read this INF file! # Default value: Directory_Manager_Password root_password = #CEEadmin123 [backend-userroot] sample_entries = yes suffix = dc=openstack,dc=org Ldap2 with below file ldap2.inf # ldap2.inf [general] config_version = 2 [slapd] self_sign_cert = False instance_name = ldap2 port = 2389 # root_dn (str) # Description: Sets the Distinquished Name (DN) of the administrator account for this instance. # Default value: cn=Directory Manager root_dn = cn=ldap2 # root_password (str) # Description: Sets the password of the account specified in the "root_dn" parameter. You can either set this parameter # to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. # Note that setting a plain text password can be a security risk if unprivileged users can read this INF file! # Default value: Directory_Manager_Password root_password = #CEEadmin123 [backend-userroot] sample_entries = yes suffix = dc=openstack,dc=org Created a "ou=users" for ldap1 and added users under that "ou=users" ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" slapd-ldap1 account list dc=openstack,dc=org ou=groups,dc=openstack,dc=org ou=people,dc=openstack,dc=org ou=permissions,dc=openstack,dc=org ou=services,dc=openstack,dc=org uid=demo_user,ou=people,dc=openstack,dc=org cn=demo_group,ou=groups,dc=openstack,dc=org ou=users,dc=openstack,dc=org uid=ldap1_user1,ou=users,dc=openstack,dc=org uid=ldap1_user2,ou=users,dc=openstack,dc=org uid=ldap1_user3,ou=users,dc=openstack,dc=org Created a "ou==people" for ldap2 and added users under that "ou=people" ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" slapd-ldap2 account list dc=openstack,dc=org ou=groups,dc=openstack,dc=org ou=people,dc=openstack,dc=org ou=permissions,dc=openstack,dc=org ou=services,dc=openstack,dc=org uid=demo_user,ou=people,dc=openstack,dc=org cn=demo_group,ou=groups,dc=openstack,dc=org uid=ldap2_user1,ou=people,dc=openstack,dc=org uid=ldap2_user2,ou=people,dc=openstack,dc=org uid=ldap2_user3,ou=people,dc=openstack,dc=org Now i've followed your the steps from this link sudo dsconf -D "cn=ldap1" ldap://localhost:1389 chaining link-create --suffix="ou=users,dc=example,dc=com" --server-url="ldap://localhost:2389"; --bind-mech="Simple" --bind-dn="uid=ldap2_user3,ou=people,dc=openstack,dc=org" --bind-pw="ldap2_user3" "example_chain_name" after that it stated that i've to give proxy admin permission to userroot in this case i think i've give permisson for "uid=ldap2_user3,ou=people,dc=openstack,dc=org" I tried that with below file and command #aci.ldif dn: ou=people,dc=openstack,dc=org changetype: modify add: aci aci: (targetattr = "*")(version 2; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;) and below command ceeinfra@infra2:~/389ds/ldap2> sudo ldapmodify -x -h infra2 -p 2389 -D "cn=ldap2" -w "#CEEadmin123" -f aci.ldif -v ldap_initialize( ldap://infra2:2389 ) add aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;) modifying entry "ou=people,dc=openstack,dc=org" ldap_modify: Invalid syntax (21) additional info: ACL Syntax Error(-5):(targetattr = \22\2a\22)(version 3.0; acl \22Proxied authorization for database links\22; allow (proxy) userdn = \22ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org\22;) I might have messed up some where. I'm stuck and i'm not able to proceed with chaining. Can you please help me I've below queries also can you please answer them 1) Can you tell me if i've two ldap's whose suffixes are not same i.e. for ldap1 id suffix is dc=openstack,dc=com for ldap2 suffix is dc=nitesh,com=org Can i do pass through authentication or chaining between those two LDAP's? 2) Can you tell me how to check bind of the users with ldapserver also ? Regards Nitesh _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
