Hi all,
I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would:
Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ?
Is that possible and how could achieve this ?
Thanks for your help
Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
On 11/6/18 4:04 AM, LHEUREUX Bernard wrote:
Hi all,
I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would:
Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ?
Is that possible and how could achieve this ?
Yes, but you need to use SSSD as well:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
I personally have not done this, but it is documented in the Administration Guide
HTH, Mark
Thanks for your help
Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On Tue, 2018-11-06 at 12:37 -0500, Mark Reynolds wrote:
On 11/6/18 4:04 AM, LHEUREUX Bernard wrote:
Hi all,
I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would:
Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ?
Is that possible and how could achieve this ?
Yes, but you need to use SSSD as well:
https://access.redhat.com/documentation/en-us/red_hat_directory_serve r/10/html/administration_guide/pam-pta#pam-pta-sssd
I personally have not done this, but it is documented in the Administration Guide
If we ever get really bored (and I mean really bored ;) ) we could create this as a lib389 test case.
HTH, Mark
Thanks for your help
Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject .org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidel ines List Archives: https://lists.fedoraproject.org/archives/list/389-us ers@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o rg Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin es List Archives: https://lists.fedoraproject.org/archives/list/389-user s@lists.fedoraproject.org
Hi,
It is possible . i'm using Pam PTA to authenticate AD user from SSO application. it works perfectly. the configurationis SSO app +> 389 + SSSD -> AD As mentionned by Mark Reynolds use PAM PTA and filter with pamFilter .
Contact me if you need more information.
On 20 Nov 2018, at 03:13, Olivier JUDITH gnulux@gmail.com wrote:
Hi,
It is possible . i'm using Pam PTA to authenticate AD user from SSO application. it works perfectly. the configurationis SSO app +> 389 + SSSD -> AD As mentionned by Mark Reynolds use PAM PTA and filter with pamFilter .
As a note, remember that SSSD is single threaded and may become a performance bottleneck. You could have to consider horizontal RO replica to scale your logins.
Contact me if you need more information.
If you want to write up a how-to for our website that would be great, I’d help review it and get it commited
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William
Hi ,
Ok i'll do that soon. For the moment i try to finish my plugin development
Cdlt.
Feel free to send me code to review at any time, I’ll review it when I get a chance :)
On 21 Nov 2018, at 08:44, Olivier JUDITH gnulux@gmail.com wrote:
Hi ,
Ok i'll do that soon. For the moment i try to finish my plugin development
Cdlt. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William
389-users@lists.fedoraproject.org