389ds is a ldapserver. This ldapserver doesn't support proxy like OPENLDAP.
There is a concept called as chaining in 389ds by which it can contact other ldap server and authenticate the user. If there are 2 ldap server's LDAP1 and LDAP2. To make users of LDAP2 to authenticate via LDAP1 we use this chaining.
Most import thing is that both LDAP1 and LDAP2 should have same root suffix. Create them with "dc=openstack,dc=org"
Please create 2 ldap server. LDAP1 and LDAP2. You can follow the steps from this link https://www.niteshtech.com/post/389ds-ldap-server-configuration-and-user-creation
On LDAP1 create a organisation unit "people" and create ldap users under "ou=people"
On LDAP2 create a organisation unit "users" and create ldap users under "ou=users"
For example, a client application sends a request to LDAP1. LDAP1 contains a database link that chains the request to a database on LDAP2.
The database link on LDAP1 binds to LDAP2 using a special user and password:
LDAP2 must contain a user entry and set the proxy authentication rights for this user. To set the proxy authorization correctly, set the proxy ACI as any other ACI.
Create a additional user in ldap2. Lets create a proxy_user on ldap2 with the below proxy_user.ldif file.
dn: uid=proxy_user,ou=users,ou=openstack,o=org
uid: proxy_user
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
#objectClass: openstackEntry
uidNumber: 2000
gidNumber: 2500
displayName: proxy_user
homeDirectory: /home/proxy_user
cn: proxy_user
userPassword: proxy_user
Command to add the proxy user to ldap2
ldapadd -x -h localhost -p 389 -w "#389ds_ldap" -D "cn=Manager" -f proxy_user.ldif
Before chaining check the backend tree with the following command
sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 backend get-tree
output
- dc=openstack,dc=org
Chaining can we achieved by following steps
sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 chaining link-create --suffix="ou=users,dc=openstack,dc=org" --server-url=ldap://192.168.1.2:2389 --bind-dn="uid=proxy_user,ou=users,dc=openstack,dc=org" --bind-mech="Simple" --bind-pw=proxy_user test_chaining
Note: Please replace ldap2 server details in the above command before you run the command
sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 chaining link-set test_chaining --proxied-auth off
Restart the LDAP1 server
sudo dsctl ldap1 restart
Now you can check the backend tree again
sudo dsconf -D "cn=ldap1" -w "#389ds_ldap" ldap1 backend get-tree
Output
- dc=openstack,dc=org
- ou=users,dc=openstack,dc=org
When you run ldapsearch on LDAP1 server , it will list all the users of LDAP2.
ldapsearch -x -h localhost -p 389 -w "#389ds_ldap" -b "dc=openstack,dc=org"