On Wed, May 4, 2022 at 2:05 PM parimala nitesh <parimalanit...@gmail.com> wrote:
> Hi Pierri, > > Thank you Pierri for the response. > My queries are inline > > [1]If you can set up replication between the two LDAP server instances > then the data will be available on both instances. > > What if the users are getting added on external LDAP. Then i've to > replicate it again? > No Replication keeps the data in sync. That said I am not sure whether we can replicate from Open LDAP towards 389DS. > > [2]If server2 suffix is different from server1 suffix, then you could use > chaining. > (so that request to Server1 get forwarded to request2) > > Can i get any documentation link for this chaining(If user1 belongs to > ldapserver and ext_user is user for external_ldap. What happens if user1 is > requesting will it go to external_ldap to get authenticated ?) > Here is some Chaining documentation: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links To answer your question: For chaining to work properly you must organize your DIT such a way that entries belongs on different backend So the DIT will looks like uid=user1,ou=users,ou=local data,dc=domain,dc=com uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com So a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally a bind on uid=user1,ou=users,ou=local data,dc=domain,dc=com will be handled locally a bind on uid=ext1_user1,ou=users,ou=openldap data,dc=domain,dc=com will be send toward open ldap a bind on uid=ext2_user1,ou=users,ou=AD data,dc=domain,dc=com will be sent on AD But a subtree search on dc=domain,dc=com will be sent on the 3 LDAP servers > [3] using the Pass Through Authentication plugin (In that case only the > bind requests will be forwarded. But that may not be enough depending how > exactly the application is checking the ldap authentication) > > I see that Openldap proxy option isn't there 389ds. Is there any other > pass through autentication plugin. if you can you please share a link by > which i can implement this option. > I will let the Open ldap expert answer this one ! -;) Regards Pierre > > > Thank you > Parimala Nitesh > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- -- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
