Monday, April 18, 2022

[389-users] Re: Meta directory plugin in 389ds?

>> I dont think these layers do what you want?
>> What do you mean by SSO here? What protocols do you need to support?
>> I think you'd have:
>> Oauth2 -> Keycloak -> 389ds -> AD
> This is the plan which I will try to create.
> For now I will need to change the chain to the below one.
> Oauth2 -> Keycloak -> slapd-meta and slapo-rwm -> AD

Even with this setup, I'm not sure what kind of extra-data you plan to add or enrich here. As mentioned it may be considered a security / disclosure risk since openldap ACI's are not the same as AD so your meta dir may leak info.

>> OR
>> Oauth2 -> Keycloak -> AD

This is the more robust solution IMO.


William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment