top of page
Search
  • parimalanitesh
    • Sep 17, 2022
    • 2 min read

389ds LDAP Chaining

389ds is a ldapserver. This ldapserver doesn't support proxy like OPENLDAP.

There is a concept called as chaining in 389ds by which it can contact other ldap server and authenticate the user. If there are 2 ldap server's LDAP1 and LDAP2. To make users of LDAP2 to authenticate via LDAP1 we use this chaining.


Most import thing is that both LDAP1 and LDAP2 should have same root suffix. Create them with "dc=openstack,dc=org"


Please create 2 ldap server. LDAP1 and LDAP2. You can follow the steps from this link https://www.niteshtech.com/post/389ds-ldap-server-configuration-and-user-creation


  • On LDAP1 create a organisation unit "people" and create ldap users under "ou=people"

  • On LDAP2 create a organisation unit "users" and create ldap users under "ou=users"


For example, a client application sends a request to LDAP1. LDAP1 contains a database link that chains the request to a database on LDAP2.



The database link on LDAP1 binds to LDAP2 using a special user and password:



LDAP2 must contain a user entry and set the proxy authentication rights for this user. To set the proxy authorization correctly, set the proxy ACI as any other ACI.


Create a additional user in ldap2. Lets create a proxy_user on ldap2 with the below proxy_user.ldif file.

dn: uid=proxy_user,ou=users,ou=openstack,o=org
uid: proxy_user
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
#objectClass: openstackEntry
uidNumber: 2000
gidNumber: 2500
displayName: proxy_user
homeDirectory: /home/proxy_user
cn: proxy_user
userPassword: proxy_user

Command to add the proxy user to ldap2

ldapadd -x -h localhost -p 389 -w "#389ds_ldap" -D "cn=Manager" -f proxy_user.ldif

Before chaining check the backend tree with the following command

sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 backend get-tree

output

- dc=openstack,dc=org


Chaining can we achieved by following steps

sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 chaining link-create --suffix="ou=users,dc=openstack,dc=org" --server-url=ldap://192.168.1.2:2389 --bind-dn="uid=proxy_user,ou=users,dc=openstack,dc=org" --bind-mech="Simple" --bind-pw=proxy_user test_chaining

Note: Please replace ldap2 server details in the above command before you run the command

sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 chaining link-set test_chaining --proxied-auth off

Restart the LDAP1 server

sudo dsctl ldap1 restart

Now you can check the backend tree again

sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 backend get-tree

Output

- dc=openstack,dc=org

- ou=users,dc=openstack,dc=org


When you run ldapsearch on LDAP1 server , it will list all the users of LDAP2.

ldapsearch -x -h localhost -p 389 -w "#389ds_ldap" -b "dc=openstack,dc=org"


53 views0 comments

Recent Posts

See All

SSSD Integration with 389ds LDAP

SSSD: The System Security Services Daemon (SSSD) provides access to remote identity and authentication providers. Providers are configured as back ends with SSSD acting as an intermediary between loca

Multiple LDAP Integration with Openstack Keystone

I've got a task to integrate Multiple LDAP with Openstack Keystone. Below are the same steps which you have to follow for External LDAP integration with Openstack Keystone also. I followed below steps

Openldap Server configuration and user creation

OpenLdap OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. Installation You can install openldap with the following

Post: Blog2_Post
bottom of page