Wednesday, May 4, 2022

[389-users] Re: 389ds External LDAP Authentication

On Wed, May 4, 2022 at 2:05 PM parimala nitesh <> wrote:
Hi Pierri,

Thank you Pierri for the response.
My queries are inline

[1]If you can set up replication between the two LDAP server instances
then the data will be available on both instances.

What if the users are getting added on external LDAP. Then i've to replicate it again?

No Replication keeps the data in sync.
   That said I am not sure whether we can replicate from Open LDAP towards 389DS. 

[2]If server2 suffix is different from server1 suffix, then you could use
(so that request to Server1 get forwarded to request2)

Can i get any documentation link for this chaining(If user1 belongs to ldapserver and ext_user is user for external_ldap. What happens if user1 is requesting will it go to external_ldap to get authenticated ?)
To answer your question:
    For chaining to work properly you must organize your DIT such a way that entries belongs on different backend So the DIT will looks like
        uid=user1,ou=users,ou=local data,dc=domain,dc=com 
        uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com 
        uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com 

So a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally
a bind on uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com  will be send toward open ldap
a bind on  uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com  will be sent on AD

But a subtree search on dc=domain,dc=com will be sent on the 3 LDAP servers 

[3] using the Pass Through Authentication plugin (In that case only the
bind requests will be forwarded. But that may not be enough depending how
exactly the application is checking the ldap authentication)

I see that Openldap proxy option isn't there 389ds. Is there any other pass through autentication plugin. if you can you please share a link by which i can implement this option.

I will let the Open ldap expert answer this one ! -;) 


Thank you
Parimala Nitesh
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:


389 Directory Server Development Team

No comments:

Post a Comment