Hi William.
On Thu, 14 Apr 2022 00:51:09 +0000
William Brown <william.brown@suse.com> wrote:
>
> > On 13 Apr 2022, at 20:31, Alex <al-389users@none.at> wrote:
> >
> > Hi William.
> >
> > Thank you for your Answer.
> >
> > On Tue, 12 Apr 2022 23:38:54 +0000
> > William Brown <william.brown@suse.com> wrote:
> >>
> >>
> >>> On 13 Apr 2022, at 04:41, Alex <al-389users@none.at> wrote:
> >>>
> >>> Dear List-Members.
> >>>
> >>> Please can you help me to find the right plugin, if there is any, in 386ds
> >>> which can be used similar to the slapd-meta and slapo-rwm?
> >>>
> >>> https://www.openldap.org/software/man.cgi?query=slapd-meta&sektion=5&manpath=OpenLDAP+2.6-Release&format=html
> >>> https://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.6-Release
> >>
> >> We don't have anything like slapd-meta, but we do have cos which could
> >> suffice for rwm. Have a look at:
> >>
> >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11
> >
> > With "cos" you mean "Class of Service" right,
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#Class_of_Service_Plug_in
> >
> > and the corresponding howto.
> > https://www.port389.org/docs/389ds/howto/howto-classofservice.html
> >
> > Btw. the link on the howto should point to this page, IMHO.
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#Advanced_Entry_Management-Assigning_Class_of_Service
> >
> >
> >>> What I try to achieve is to create a meta directory in front on MS Active
> >>> Directory for different AD Groups and propagate this group via 386ds.
> >>
> >> You could use ad-sync to consume data into 389-ds, and then cos to template
> >> out extra groups and data on-top?
> >
> > Well I don't want to store any data on DS I just want to use it as poxy and
> > cache in front of AD.
> >
>
> Can't do that sorry. Beside all the security and access control risks, we
> don't have a way to "proxy" this. You have to be able to sync that data so we
> can do the transforms.
Thank you for clarification.
> >> I think a more detailed worked example could help us to know if the advice
> >> we are giving is correct :)
> >
> > I'm in the concept phase an try to find the right product for the customer
> > which want to use a SSO solution.
> > keycloak is one of the options and therefor I just wanted to know if the
> > 389ds could be used somehow as proxy and mapping thing in front of keycloak.
> >
> > As far as I understood the architecture of 389ds it looks to me that this
> > feature isn't there, right?
>
> I dont think these layers do what you want?
>
> What do you mean by SSO here? What protocols do you need to support?
>
> I think you'd have:
>
> Oauth2 -> Keycloak -> 389ds -> AD
This is the plan which I will try to create.
For now I will need to change the chain to the below one.
Oauth2 -> Keycloak -> slapd-meta and slapo-rwm -> AD
> OR
>
> Oauth2 -> Keycloak -> AD
>
>
> >
> >>> I have seen this plugins but I don't know the wording in 386ds therefore I
> >>> hope anybody can help me to find the right wording and plugins in 386ds if
> >>> this is possible.
> >>>
> >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#Plug_in_Implemented_Server_Functionality_Reference
> >>>
> >>> Thank you for any help.
> >>>
> >>> Regards
> >>> Alex
> >>> _______________________________________________
> >
> >> --
> >> Sincerely,
> >>
> >> William Brown
> >>
> >> Senior Software Engineer,
> >> Identity and Access Management
> >> SUSE Labs, Australia
> >> _______________________________________________
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
> > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
> > Archives:
> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
> ___________________________________
Regards
Alex
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment