Thursday, May 5, 2022

[389-users] Re: 389ds External LDAP Authentication

> On 5 May 2022, at 13:14, parimala nitesh <parimalanitesh@gmail.com> wrote:
>
> Apologies for creating confusion.
>
> My Problem statement:
> I've a Server1 on which I've installed 389ds lets call it out as internal_ldap. I've installed Openstack on the same server and I'm integrating this internal_ldap as my ldap backend to Openstack Keystone(https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html) by which all the users of the ldap can use the Openstack.
> I've an external_ldap(can be 389ds or openldap or any AD) on Server2. Now i've to integrate this external ldap also to my Openstack Keystone.
>
> As my internal_ldap is already integrated with Openstack Keystone, if i can integrate both internal_ldap and external_ldap, then i thought users of external_ldap also also use Openstack.
>
> So by integrating internal_ldap and external_ldap i think i can solve my problem

Right, that helps a lot.

Okay, so there are a few ways you could do this.

389-ds doesn't have a "proxy" mode as you would know from openldap. It has pam-passthru authentication which allows you to create "stub" entries on 389-ds, then pass-back to the external ldap to do the validation of the credentials.

Another option is if your external is AD, you could do an ad-sync to pull the users/accounts from AD into 389, and then pam pass through to get to the external backend for auth.

We do have chaining db, but i don't know if this is really what you want in this case, but it could be worth a look.


Finally, you could write something to manually do the sync.

Does that give you some ideas of things to look into?


>
> Regards
> Nitesh
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment