setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
Hi,
I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa)
# rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64
# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) #
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com
Please guide me. Thanks in advance.
Best Regards,
Kaushal
On 02.10.23 09:56, Kaushal Shriyan wrote:
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com
If you are still talking about rootdn: No that is not possible. You can have only one rootdn per database.
But you can give any LDAP user the same privileges by setting the ACLs propperly.
Please consult man slapd.access or the admin guide.
Best regards Ulf
On Mon, Oct 2, 2023 at 2:37 PM Ulf Volmer u.volmer@u-v.de wrote:
On 02.10.23 09:56, Kaushal Shriyan wrote:
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com
If you are still talking about rootdn: No that is not possible. You can have only one rootdn per database.
But you can give any LDAP user the same privileges by setting the ACLs propperly.
Please consult man slapd.access or the admin guide.
Best regards Ulf
Thanks Ulf for the quick response and detailed explanation. So do I need to have two openldap servers running on Red Hat Enterprise Linux release 8.8 (Ootpa)
For example
*corporate.mydomain.com http://corporate.mydomain.com * dn: cn=admin,dc=corporate,dc=mydomain,dc=com on openldap on port 389
*checker.mydomain.com http://checker.mydomain.com * dn: cn=admin,dc=checker,dc=mydomain,dc=com on openldap on port 390
Please guide me. Thanks in advance.
Best Regards,
Kaushal
Am Mon, Oct 02, 2023 at 04:11:19PM +0530 schrieb Kaushal Shriyan:
Thanks Ulf for the quick response and detailed explanation. So do I need to have two openldap servers running on Red Hat Enterprise Linux release 8.8 (Ootpa)
For example
*corporate.mydomain.com http://corporate.mydomain.com * dn: cn=admin,dc=corporate,dc=mydomain,dc=com on openldap on port 389
*checker.mydomain.com http://checker.mydomain.com * dn: cn=admin,dc=checker,dc=mydomain,dc=com on openldap on port 390
You can run multiple databases in differnent backends on the same server and same slapd instance.
Best regards Ulf
Thanks Ulf for the email response. Any documentation to refer to set up multiple databases in different backends in OpenLDAP?
Best Regards,
Kaushal
On Mon, Oct 2, 2023 at 6:51 PM Ulf Volmer u.volmer@u-v.de wrote:
Am Mon, Oct 02, 2023 at 04:11:19PM +0530 schrieb Kaushal Shriyan:
Thanks Ulf for the quick response and detailed explanation. So do I need
to
have two openldap servers running on Red Hat Enterprise Linux release 8.8 (Ootpa)
For example
*corporate.mydomain.com http://corporate.mydomain.com * dn: cn=admin,dc=corporate,dc=mydomain,dc=com on openldap on port 389
*checker.mydomain.com http://checker.mydomain.com * dn: cn=admin,dc=checker,dc=mydomain,dc=com on openldap on port 390
You can run multiple databases in differnent backends on the same server and same slapd instance.
Best regards Ulf
On Mon, Oct 02, 2023 at 09:37:41PM +0530, Kaushal Shriyan wrote:
Thanks Ulf for the email response. Any documentation to refer to set up multiple databases in different backends in OpenLDAP?
Generally you should refer to the Administator's Guide[0], specifically chapter 5 seems appropriate. It documents cn=config (man slapd-config), see man slapd.conf for equivalent options if using slapd.conf instead. It's as easy as configuring more than one (olc)Database entry.
Before you progress any further, you also want to use a more recent OpenLDAP than 2.4 which has been deprecated for years now - you mention using Symas builds already, switching to 2.5 or 2.6 is easy and documented here[1]).
[0]. https://www.openldap.org/doc/admin26/guide.html [1]. https://repo.symas.com
Regards,
It sounds to me like you want a relay database.
From: Kaushal Shriyan kaushalshriyan@gmail.com Sent: Monday, October 2, 2023 6:41 AM To: Ulf Volmer u.volmer@u-v.de Cc: openldap-technical@openldap.org Subject: [EXTERNAL] Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
On Mon, Oct 2, 2023 at 2: 37 PM Ulf Volmer <u. volmer@ u-v. de> wrote: On 02. 10. 23 09: 56, Kaushal Shriyan wrote: > Is there a way to set up two DN's in OpenLDAP server? > > dn: cn=admin,dc=corporate,dc=mydomain,dc=com > dn:
On Mon, Oct 2, 2023 at 2:37 PM Ulf Volmer <u.volmer@u-v.demailto:u.volmer@u-v.de> wrote: On 02.10.23 09:56, Kaushal Shriyan wrote:
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com
If you are still talking about rootdn: No that is not possible. You can have only one rootdn per database.
But you can give any LDAP user the same privileges by setting the ACLs propperly.
Please consult man slapd.access or the admin guide.
Best regards Ulf
Thanks Ulf for the quick response and detailed explanation. So do I need to have two openldap servers running on Red Hat Enterprise Linux release 8.8 (Ootpa)
For example
corporate.mydomain.comhttps://urldefense.com/v3/__http:/corporate.mydomain.com__;!!H3PqUTRkow!-r2TmdiIA-fK-TYOJDxqeVksYEYEheuBGJlO8TJEdSw1eYOJqnSzg59xRljJ0eV8uHlKpEr45PwEChvpVVM$ dn: cn=admin,dc=corporate,dc=mydomain,dc=com on openldap on port 389
checker.mydomain.comhttps://urldefense.com/v3/__http:/checker.mydomain.com__;!!H3PqUTRkow!-r2TmdiIA-fK-TYOJDxqeVksYEYEheuBGJlO8TJEdSw1eYOJqnSzg59xRljJ0eV8uHlKpEr45PwEHgNPl6Q$ dn: cn=admin,dc=checker,dc=mydomain,dc=com on openldap on port 390
Please guide me. Thanks in advance.
Best Regards,
Kaushal
Thanks Bradley for the quick response. Any documentation to refer to set up relay database in OpenLDAP?
Please guide me. Thanks in advance.
Best Regards,
Kaushal
Hello,
It is not possible to have two different DN on the same database, because the rootDN is unique. But you can configure multiple databases on the same server, that works quite independently (every db has its own set of overlays/config/replication). When you create the databases, you must ensure that they don't live in the same directory (defaults to /var/lib/ldap).
It is possible according to the guide to put extra ACL in cn=config to let users from DB A access content in DB B and the other way around (but it is appended to the own DB ACL). TLS certificates are common to the server as well.
For an easier setup, just create a single dc=mydomain,dc=com database, put the content in two separate OU, add a cn=admin account in each OU and configure the ACL to let them manage their OU and below.
For more details, please read the admin guide.
Regards
Le 02/10/2023 à 09:56, Kaushal Shriyan a écrit :
Hi,
I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa)
# rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64
# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) #
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com
Please guide me. Thanks in advance.
Best Regards,
Kaushal
--On Monday, October 2, 2023 12:47 PM +0200 Jérôme BECOT jerome.becot@deveryware.com wrote:
Hello,
It is not possible to have two different DN on the same database, because the rootDN is unique. But you can configure multiple databases on the same server, that works quite independently (every db has its own set of overlays/config/replication). When you create the databases, you must ensure that they don't live in the same directory (defaults to /var/lib/ldap).
There's no need for it to be a rootdn, generally I suggest avoiding using the rootdn for backends at all. The only rootdn that *might* need to be used is the one for cn=config, but that's entirely separate.
--Quanah
I guess it is a problem of terminology, I should have use baseDN I guess.
Le 03/10/2023 à 20:16, Quanah Gibson-Mount a écrit :
--On Monday, October 2, 2023 12:47 PM +0200 Jérôme BECOT jerome.becot@deveryware.com wrote:
Hello,
It is not possible to have two different DN on the same database, because the rootDN is unique. But you can configure multiple databases on the same server, that works quite independently (every db has its own set of overlays/config/replication). When you create the databases, you must ensure that they don't live in the same directory (defaults to /var/lib/ldap).
There's no need for it to be a rootdn, generally I suggest avoiding using the rootdn for backends at all. The only rootdn that *might* need to be used is the one for cn=config, but that's entirely separate.
--Quanah
--On Tuesday, October 3, 2023 10:24 PM +0200 Jérôme BECOT jerome.becot@deveryware.com wrote:
I guess it is a problem of terminology, I should have use baseDN I guess.
Sure... but the question was about two admin users both under the same base :)
--Quanah
On 04.10.23 01:12, Quanah Gibson-Mount wrote:
--On Tuesday, October 3, 2023 10:24 PM +0200 Jérôme BECOT jerome.becot@deveryware.com wrote:
I guess it is a problem of terminology, I should have use baseDN I guess.
Sure... but the question was about two admin users both under the same base :)
That was, how I understand his first question, yes. Second one sounds different, so I came to the same result as Jérôme did.
Best regards Ulf
--On Monday, October 2, 2023 2:26 PM +0530 Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Is there a way to set up two DN's in OpenLDAP server?
dn: cn=admin,dc=corporate,dc=mydomain,dc=com
dn: cn=admin,dc=checker,dc=mydomain,dc=com
This is trivial to create as 2 different entries in your dc=mydomain,dc=com database. There's no need for them to be rootdns, you can simply give them manage access to whatever they need to control.
--Quanah
openldap-technical@openldap.org
-
Bradley T Gill -
Jérôme BECOT -
Kaushal Shriyan -
Ondřej Kuzník -
Quanah Gibson-Mount -
Ulf Volmer