[Fedora-directory-users] FDS and AD

Richard Megginson rmeggins at redhat.com
Fri Oct 13 13:07:53 UTC 2006 

Sergio Diaz wrote:
> Hi all,
>
> I successfully connect the AD Back End DB to FDS like Brian Smith,  i 
> disable the nsProxiedAuthorization (comment by Richard Meggison) in 
> Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i 
> cant Browse the Directory "Critical Extension unavailable".
I don't understand.  You can't "Browse" the directory, but you can 
search Users and Groups?
>
> - In the Console i can search Users, Groups of my AD and FDS   =) Happy!!
>
> Two Questions:
> Its possible to Map the Attributes like:
>
> map attribute  uid sAMAaccountname
> map attribute  cn  name
> map attribute  mail userprincipalname
> map attribute  account user
No.
>
> Its possible to Link the Database of the AD only for Read ?
You might be able to set the Chaining Database to be readonly in its 
settings.
>
> I like to write a Howto for this settings.
>
> Regards,
> Sergio
>
>   
>
>
>
>
> On 10/2/06, *Richard Megginson* <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     It may be that AD doesn't support proxied auth, in which case you
>     should
>     tell chaining to disable it.  See
>     http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180
>     <http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180>
>     for more information - the pertinent attribute is
>     nsProxiedAuthorization
>
>     Brian Smith wrote:
>     > All,
>     > Here's what I've now done to enable the AD Back end DB for a sub
>     tree:
>     > 1.   Click configuration and select the "dc=domain,dc=com" tree.
>     > 2.   Right click "dc=domain,dc=com" tree and select new sub suffix
>     > 3.   In New Suffix box, typed "ou=subsuffix1" and unchecked create
>     > associated database automatically and click OK.
>     > 4.   Open "dc=domain,dc=com" and right click
>     > "ou=subsuffix1,dc=domain,dc=com, and select "new database link.
>     > 5.   Here, I put Database link name "subsuffix1", put the bind
>     dn and
>     > password of a domain user account in my AD, and put the domain
>     > controller ip in the remote server box and clicked save. (I can
>     > connect to my AD with the DN I provided here)
>     > 6.   Check enable this suffix under
>     ou=subsuffix1,dc=worldpub,dc=corp
>     >
>     > now subsuffix1 database appears under
>     ou=subsuffix1,dc=domain,dc=com.
>     > If I now go to the directory tab, and select the directory entry, i
>     > get critical extension unavailable and if i use an ldap browser
>     i get
>     > list failed on the main tree.  Did i miss a step?  If I disable the
>     > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no
>     > problem.  Thanks!
>     > Brian Smith
>     >
>     >
>     >
>     > Sergio Diaz wrote:
>     >>
>     >> FDS, OpenLDAP and AD
>     >>
>     >> One Directory FDS.....i want this directions to...
>     >> Chaining Backend...
>     >>
>     >> Regards,
>     >> Sergio
>     >>
>     >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote:
>     >>> Hello all, I've been working on getting chaining working with
>     an active
>     >>> directory back end for a week now.  Has anyone successfully
>     done this or
>     >>> have directions on setting this up?
>     >>>
>     >>>  Brian Smith
>     >>>
>     >>> Howard Chu wrote:
>     >>> >
>     >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600
>     >>> >> From: Richard Megginson <rmeggins at redhat.com
>     <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>     <mailto:rmeggins at redhat.com>>>
>     >>> >
>     >>> >> Sergio Diaz wrote:
>     >>> >>> Hi Richard;
>     >>> >>>
>     >>> >>> Openldap:
>     >>> >>>
>     >>> >>>   The  *meta* backend to *slapd(8)
>     >>> >>> <
>     http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8
>     <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>
>     <
>     http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8
>     <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>>>*
>     >>> >>> performs basic LDAP proxying with respect
>     >>> >>>        to a set of remote LDAP
>     servers,  called  "targets".   The
>     >>> >>> information
>     >>> >>>        contained  in  these  servers can be presented as
>     belonging
>     >>> >>> to a single
>     >>> >>>        Directory Information Tree (DIT).
>     >>> >>>
>     >>> >>> Its possible with FDS ??
>     >>> >>>
>     >>> >> FDS has a chaining backend which allows you to use another LDAP
>     >>> >> server to store the data.
>     >>> >
>     >>> > It sounds like the FDS chaining backend is similar to OpenLDAP
>     >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap
>     forwards
>     >>> > a request to one other server (at a time; multiple servers
>     can be
>     >>> > configured but the others will only be used if the first
>     server cannot
>     >>> > be contacted). The back-meta backend is a superset of
>     back-ldap, it
>     >>> > can fanout single requests to multiple servers in parallel and
>     >>> > aggregate the results. (There's also attribute mapping and DN
>     >>> > rewriting, but those capabilities are no longer unique to
>     back-meta,
>     >>> > having been moved into the rewrite overlay.) With these
>     modules you
>     >>> > can stitch together a variety of heterogeneous directories
>     into a
>     >>> > coherent virtual directory.
>     >>> >
>     >>> >>> Regards!!
>     >>> >>> Sergio
>     >>> >>>
>     >>> >>>
>     >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote:
>     >>> >>>> Sergio Diaz wrote:
>     >>> >>>>> Hi People,
>     >>> >>>>>
>     >>> >>>>> Its Possible Sync only in One Way ?
>     >>> >>>>> Users Windows AD -> FDS.
>     >>> >>>> No, not really.
>     >>> >>>>> Or the other scenario its like OpenLDAP have a Meta
>     Backend (2
>     >>> >>>>> LDAPs, 1 AD), its possible with FDS ?
>     >>> >>>> It's possible. What does the meta backend do?
>     >>> >>>>>
>     >>> >>>>> Regards,
>     >>> >>>>> Sergio
>     >>> >
>     >>> >
>     >>>
>     >>> --
>     >>> Fedora-directory-users mailing list
>     >>> Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     <mailto:Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>>
>     >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >>>
>     >
>     ------------------------------------------------------------------------
>
>     >
>     > --
>     > Fedora-directory-users mailing list
>     > Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20061013/b4f0d5aa/attachment.bin>

More information about the 389-users mailing list