>>
>> I dont think these layers do what you want?
>>
>> What do you mean by SSO here? What protocols do you need to support?
>>
>> I think you'd have:
>>
>> Oauth2 -> Keycloak -> 389ds -> AD
>
> This is the plan which I will try to create.
> For now I will need to change the chain to the below one.
>
> Oauth2 -> Keycloak -> slapd-meta and slapo-rwm -> AD
Even with this setup, I'm not sure what kind of extra-data you plan to add or enrich here. As mentioned it may be considered a security / disclosure risk since openldap ACI's are not the same as AD so your meta dir may leak info.
>
>> OR
>>
>> Oauth2 -> Keycloak -> AD
This is the more robust solution IMO.
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment