Sorry for the delay I've been unwell. > On 13 May 2022, at 20:05, parimala nitesh <parimalanitesh@xxxxxxxxx> wrote: > > Hi Pierre Rogier, > > I've tried to follow this document for pass through authentication > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links > > For that i've create two 389ds ldap servers > > i've created ldap1 with ldap1.inf > > # ldap1.inf > > [general] > config_version = 2 > > [slapd] > self_sign_cert = False > instance_name = ldap1 > port = 1389 > # root_dn (str) > # Description: Sets the Distinquished Name (DN) of the administrator account for this > instance. > # Default value: cn=Directory Manager > root_dn = cn=ldap2 > > # root_password (str) > # Description: Sets the password of the account specified in the "root_dn" > parameter. You can either set this parameter > # to a plain text password dscreate hashes during the installation or to a > "{algorithm}hash" string generated by the pwdhash utility. > # Note that setting a plain text password can be a security risk if unprivileged users > can read this INF file! > # Default value: Directory_Manager_Password > root_password = #CEEadmin123 You probably shouldn't plaintext your dev password here ... > > > [backend-userroot] > sample_entries = yes > suffix = dc=openstack,dc=org > > Ldap2 with below file ldap2.inf > > # ldap2.inf > > [general] > config_version = 2 > > [slapd] > self_sign_cert = False > instance_name = ldap2 > port = 2389 > # root_dn (str) > # Description: Sets the Distinquished Name (DN) of the administrator account for this > instance. > # Default value: cn=Directory Manager > root_dn = cn=ldap2 > > # root_password (str) > # Description: Sets the password of the account specified in the "root_dn" > parameter. You can either set this parameter > # to a plain text password dscreate hashes during the installation or to a > "{algorithm}hash" string generated by the pwdhash utility. > # Note that setting a plain text password can be a security risk if unprivileged users > can read this INF file! > # Default value: Directory_Manager_Password > root_password = #CEEadmin123 > > > [backend-userroot] > sample_entries = yes > suffix = dc=openstack,dc=org > > > Created a "ou=users" for ldap1 and added users under that "ou=users" > > ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" > slapd-ldap1 account list > dc=openstack,dc=org > ou=groups,dc=openstack,dc=org > ou=people,dc=openstack,dc=org > ou=permissions,dc=openstack,dc=org > ou=services,dc=openstack,dc=org > uid=demo_user,ou=people,dc=openstack,dc=org > cn=demo_group,ou=groups,dc=openstack,dc=org > ou=users,dc=openstack,dc=org > uid=ldap1_user1,ou=users,dc=openstack,dc=org > uid=ldap1_user2,ou=users,dc=openstack,dc=org > uid=ldap1_user3,ou=users,dc=openstack,dc=org > > Created a "ou==people" for ldap2 and added users under that > "ou=people" > > > ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" > slapd-ldap2 account list > dc=openstack,dc=org > ou=groups,dc=openstack,dc=org > ou=people,dc=openstack,dc=org > ou=permissions,dc=openstack,dc=org > ou=services,dc=openstack,dc=org > uid=demo_user,ou=people,dc=openstack,dc=org > cn=demo_group,ou=groups,dc=openstack,dc=org > uid=ldap2_user1,ou=people,dc=openstack,dc=org > uid=ldap2_user2,ou=people,dc=openstack,dc=org > uid=ldap2_user3,ou=people,dc=openstack,dc=org > > Now i've followed your the steps from this link > > sudo dsconf -D "cn=ldap1" ldap://localhost:1389 chaining link-create --suffix="ou=users,dc=example,dc=com" --server-url="ldap://localhost:2389"; --bind-mech="Simple" --bind-dn="uid=ldap2_user3,ou=people,dc=openstack,dc=org" --bind-pw="ldap2_user3" "example_chain_name" > > > after that it stated that i've to give proxy admin permission to userroot > in this case i think i've give permisson for "uid=ldap2_user3,ou=people,dc=openstack,dc=org" > > > I tried that with below file and command > > #aci.ldif > dn: ou=people,dc=openstack,dc=org > changetype: modify > add: aci > aci: (targetattr = "*")(version 2; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;) > > > and below command > > ceeinfra@infra2:~/389ds/ldap2> sudo ldapmodify -x -h infra2 -p 2389 -D "cn=ldap2" -w "#CEEadmin123" -f aci.ldif -v > ldap_initialize( ldap://infra2:2389 ) > add aci: > (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;) > modifying entry "ou=people,dc=openstack,dc=org" > ldap_modify: Invalid syntax (21) > additional info: ACL Syntax Error(-5):(targetattr = \22\2a\22)(version 3.0; acl \22Proxied authorization for database links\22; allow (proxy) userdn = \22ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org\22;) > > > I might have messed up some where. I'm stuck and i'm not able to proceed with chaining. Can you please help me > > I've below queries also can you please answer them > > 1) Can you tell me if i've two ldap's whose suffixes are not same i.e. > for ldap1 id suffix is dc=openstack,dc=com > for ldap2 suffix is dc=nitesh,com=org Pretty sure that it works yes. That's the whole reason for chaining. > > Can i do pass through authentication or chaining between those two LDAP's? > > 2) Can you tell me how to check bind of the users with ldapserver also ? I think it doesn't work the way you think. Chaining creates a backend database and "routes" through the mapping tree for queries to that. So Ithink in your config you've potentially confused it. The mapping tree lets you assemble a variety of databases into a consistent tree. So when you added: chaining link-create --suffix="ou=users,dc=example,dc=com" Your mapping tree will probably contain something like: dc=openstack,dc=org -> route-to local DB userRoot ou=users,dc=example,dc=com -> route-to chain DB If you look at the rootDSE with: ldapsearch -x -b '' -s base \* \+ You'll see that there is another suffix, probably the ou=users,dc=example,dc=com one. So if you were to search under ou=users,dc=example,dc=com on ldap1 that should chain to ldap2. Does that help? > > Regards > Nitesh > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
