> On 5 May 2022, at 13:14, parimala nitesh <firstname.lastname@example.org> wrote:
> Apologies for creating confusion.
> My Problem statement:
> I've a Server1 on which I've installed 389ds lets call it out as internal_ldap. I've installed Openstack on the same server and I'm integrating this internal_ldap as my ldap backend to Openstack Keystone(https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html) by which all the users of the ldap can use the Openstack.
> I've an external_ldap(can be 389ds or openldap or any AD) on Server2. Now i've to integrate this external ldap also to my Openstack Keystone.
> As my internal_ldap is already integrated with Openstack Keystone, if i can integrate both internal_ldap and external_ldap, then i thought users of external_ldap also also use Openstack.
> So by integrating internal_ldap and external_ldap i think i can solve my problem
Right, that helps a lot.
Okay, so there are a few ways you could do this.
389-ds doesn't have a "proxy" mode as you would know from openldap. It has pam-passthru authentication which allows you to create "stub" entries on 389-ds, then pass-back to the external ldap to do the validation of the credentials.
Another option is if your external is AD, you could do an ad-sync to pull the users/accounts from AD into 389, and then pam pass through to get to the external backend for auth.
We do have chaining db, but i don't know if this is really what you want in this case, but it could be worth a look.
Finally, you could write something to manually do the sync.
Does that give you some ideas of things to look into?
> 389-users mailing list -- email@example.com
> To unsubscribe send an email to firstname.lastname@example.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://email@example.com
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
389-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to email@example.com
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://firstname.lastname@example.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure