Hi Willam Brown,
I've tried to follow this document for pass through authentication
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/using_the_pass_through_authentication_plug_in
For that i've create two 389ds ldap servers
i've created ldap1 with ldap1.inf
# ldap1.inf
[general]
config_version = 2
[slapd]
self_sign_cert = False
instance_name = ldap1
port = 1389
# root_dn (str)
# Description: Sets the Distinquished Name (DN) of the administrator account for this instance.
# Default value: cn=Directory Manager
root_dn = cn=ldap2
# root_password (str)
# Description: Sets the password of the account specified in the "root_dn" parameter. You can either set this parameter
# to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility.
# Note that setting a plain text password can be a security risk if unprivileged users can read this INF file!
# Default value: Directory_Manager_Password
root_password = #CEEadmin123
[backend-userroot]
sample_entries = yes
suffix = dc=openstack,dc=org
Ldap2 with below file ldap2.inf
# ldap2.inf
[general]
config_version = 2
[slapd]
self_sign_cert = False
instance_name = ldap2
port = 2389
# root_dn (str)
# Description: Sets the Distinquished Name (DN) of the administrator account for this instance.
# Default value: cn=Directory Manager
root_dn = cn=ldap2
# root_password (str)
# Description: Sets the password of the account specified in the "root_dn" parameter. You can either set this parameter
# to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility.
# Note that setting a plain text password can be a security risk if unprivileged users can read this INF file!
# Default value: Directory_Manager_Password
root_password = #CEEadmin123
[backend-userroot]
sample_entries = yes
suffix = dc=openstack,dc=org
Created a "ou=users" for ldap1 and added users under that "ou=users"
ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" slapd-ldap1 account list
dc=openstack,dc=org
ou=groups,dc=openstack,dc=org
ou=people,dc=openstack,dc=org
ou=permissions,dc=openstack,dc=org
ou=services,dc=openstack,dc=org
uid=demo_user,ou=people,dc=openstack,dc=org
cn=demo_group,ou=groups,dc=openstack,dc=org
ou=users,dc=openstack,dc=org
uid=ldap1_user1,ou=users,dc=openstack,dc=org
uid=ldap1_user2,ou=users,dc=openstack,dc=org
uid=ldap1_user3,ou=users,dc=openstack,dc=org
Created a "ou==people" for ldap2 and added users under that "ou=people"
ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org" slapd-ldap2 account list
dc=openstack,dc=org
ou=groups,dc=openstack,dc=org
ou=people,dc=openstack,dc=org
ou=permissions,dc=openstack,dc=org
ou=services,dc=openstack,dc=org
uid=demo_user,ou=people,dc=openstack,dc=org
cn=demo_group,ou=groups,dc=openstack,dc=org
uid=ldap2_user1,ou=people,dc=openstack,dc=org
uid=ldap2_user2,ou=people,dc=openstack,dc=org
uid=ldap2_user3,ou=people,dc=openstack,dc=org
Now i've followed your the steps from this link https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/using_the_pass_through_authentication_plug_in
and i ran below commands to pass through from ldap1 to ldap2 users to
dsconf -D "cn=ldap1" ldap://infra3:1389 plugin pass-through-auth enable
dsconf -D "cn=ldap1" ldap://infra3:1389 plugin pass-through-auth url add "ldap://infra3:2389/ou=people"
and restarted
sudo dsctl slapd-ldap1 restart
Can you tell me how to verify the users of ldap2 to get authenticated with ldap1 server(below are the points from the documentation)
The user directory is now configured to send all bind requests for entries with a DN containing o=RedHat to the configuration directory authdir.example.com.
The user directory allows any user from o=RedHat to bind.
1) Can you also tell me if i've two ldap's whose suffixes are not same i.e.
for ldap1 id suffix is dc=openstack,dc=com
for ldap2 suffix is dc=nitesh,com=org
Can i do pass through authentication or chaining between those two LDAP's?
2) Can you tell me how to check bind of the users with ldapserver also ?
I'm literally new to 389ds please bare with my questions.
Regards
Nitesh
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment