comanage-users - Re: [comanage-users] Authenticating Single System with Multiple LDAP Servers
Subject: COmanage Users List
List archive
- From: Scott Koranda <>
- To:
- Subject: Re: [comanage-users] Authenticating Single System with Multiple LDAP Servers
- Date: Fri, 8 Jun 2018 22:49:40 -0500
- Ironport-phdr: 9a23:2Lnlzx+Cr6iJv/9uRHKM819IXTAuvvDOBiVQ1KB30OkcTK2v8tzYMVDF4r011RmVBdids6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+553ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRhHohikZKjA382/XhcNsg61Goh2uqQdyw5LIbIyPKPZyYrnQcc0cSGFcXshRTStBAoakYoUSE+UBOvpYr5XgrFULqhu+HxOjBOXyxTBSm3T72rY60+cmEQHcxgMgGc8Bv27PodX6MacdS+G1zK3SwTrfaPNW3C7w5Y7VeR4vpvGMWKh/ccvXyUQ3DwPKlFqQqZH/PzyLzOgNtHKb7+VmWOmyiGAnsxl8ria1ycswloXEg58Zx1/E+CllxYs4KsG0RFJnbtOhDJRcqyWXOo5zT888XW1npj42x74JtJKhfCUG1o4rywDRZvGJaYSE/x3uWPqXLDxlnnxqYqi/iAy38UW4yu3zSM200FFSoypAiNbMt3QN2wXd68iCVvdx50ig1SiR2w/N8O1ELkc0la3UK54l3LE8jIYcsUPGHiPumUX2irGZdlk89+S28evrfqnqq5qBO4J7igzyLqEjl8OjDegkLgcDWnSU9fi42bDm+ED1XqtGgeMunqncqp/aJMAbpqCjAw9S14Yu8w2/DzSh0NQCh3YHKk9KdwicgojmPlHBOvH4DfOlj1uwlzdrwujKPqf9DZXVMnjDjLDhcK5h5E5bzQo819Zf6IhbCr4fOf7zR1Txu8LCDh8iKAG0x+fnCM5h1oMFR26DGK6ZMKXOsVCW/OIvJfeDZJMLtDrnNfcq+uPu3jcFngoWeqyg25IYZTWlBfl8OG2YZ2bhmNEMDT1MswYjH8Lwj1jXajVUe2r6fKUm7zc3AcryFoTEXImrjLWp0yKyH5kQbWdDXAPfWUz0fpmJDq9fIBmZJdVsx2QJ
> I believe SSSD[1] allows for fall-through authN.
> If a user is not found in one LDAP it will try another LDAP.
> Might work..
>
>
> [1] https://docs.pagure.org/SSSD.sssd/#
>
+1
I think the SSSD approach will provide everything you need.
But if not, another approach is to use the meta backend for slapd
(OpenLDAP). From 'man slapd-meta':
"The meta backend to slapd(8) performs basic LDAP proxying with respect
to a set of remote LDAP servers, called "targets". The information
contained in these servers can be presented as belonging to a single
Directory Information Tree (DIT)."
I have used this backend to make multiple LDAP directories appear to be
a single virtual directory for clients and it has worked well, especially
when combined with the powerful Rewrite/Remap overlay (man slapo-rwm).
The biggest issue with the meta backend is that the documentation for using
it has not been updated for the OLC (cn=config) approach. So you either
have to make clever guesses or create an old style slapd.conf and then convert
it using the "slaptest technique".
Scott K
- [comanage-users] Authenticating Single System with Multiple LDAP Servers, Carpenter, Nick, 06/08/2018
- Re: [comanage-users] Authenticating Single System with Multiple LDAP Servers, Kevin Foote, 06/08/2018
- Re: [comanage-users] Authenticating Single System with Multiple LDAP Servers, Scott Koranda, 06/09/2018
- Re: [comanage-users] Authenticating Single System with Multiple LDAP Servers, Kevin Foote, 06/08/2018
Archive powered by MHonArc 2.6.19.