On Wed, May 4, 2022 at 2:05 PM parimala nitesh <parimalanitesh@gmail.com> wrote:
Hi Pierri,
Thank you Pierri for the response.
My queries are inline
[1]If you can set up replication between the two LDAP server instances
then the data will be available on both instances.
What if the users are getting added on external LDAP. Then i've to replicate it again?
No Replication keeps the data in sync.
That said I am not sure whether we can replicate from Open LDAP towards 389DS.
[2]If server2 suffix is different from server1 suffix, then you could use
chaining.
(so that request to Server1 get forwarded to request2)
Can i get any documentation link for this chaining(If user1 belongs to ldapserver and ext_user is user for external_ldap. What happens if user1 is requesting will it go to external_ldap to get authenticated ?)
Here is some Chaining documentation: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links
To answer your question:
For chaining to work properly you must organize your DIT such a way that entries belongs on different backend So the DIT will looks like
uid=user1,ou=users,ou=local data,dc=domain,dc=com
uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com
uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com
So a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com will be send toward open ldap
a bind on uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com will be sent on AD
But a subtree search on dc=domain,dc=com will be sent on the 3 LDAP servers
[3] using the Pass Through Authentication plugin (In that case only the
bind requests will be forwarded. But that may not be enough depending how
exactly the application is checking the ldap authentication)
I see that Openldap proxy option isn't there 389ds. Is there any other pass through autentication plugin. if you can you please share a link by which i can implement this option.
I will let the Open ldap expert answer this one ! -;)
Regards
Pierre
Thank you
Parimala Nitesh
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
389 Directory Server Development Team
No comments:
Post a Comment