We have two LDAP sources that contain users that need to be authenticated with SCM-Manager, an Active Directory and an OpenLDAP server. With SCM-Manager 1.x we used the Crowd connector plugin to authenticate against our Crowd instance, but this plugin is not available for SCM-Manager 2.x and the author doesn’t show any interest to update it for 2.x.
Is there any way to allow SCM-Manager to authenticate against more than one LDAP server? I tried creating a copy of the plugin directory and editing the .xml file to modify paths and identifier to be able to configure it a second time, but I guess it contains some hard coded paths, at least the .xml file where the configuration of the plugin is stored couldn’t be changed.
1 Like
Hi @geschnei
thank you for your feature / port request 
We would like to offer a port of the Crowd Plugin soon.
However, this will no longer be for version 2.x, but for 3.x. You can already find out what a changeover means for you here: https://scm-manager.org/blog/posts/2024-01-30-scm-manager-3-0-0/
Stay tuned, hopefully I can share more information soon.
1 Like
I found a working solution by adding an additional meta database to the existing OpenLDAP server with a DN above the existing database and adding the attribute olcSubordinate: TRUE to the existing database.
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb.la
olcModuleLoad: {1}back_meta.la
olcModuleLoad: {2}back_ldap
olcModuleLoad: {3}rwm
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=hostname,dc=example,dc=com
structuralObjectClass: olcHdbConfig
olcSubordinate: TRUE
dn: olcDatabase={2}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {2}meta
olcSuffix: dc=example,dc=com
olcDbOnErr: continue
olcDbCancel: abandon
olcDbTFSupport: no
structuralObjectClass: olcMetaConfig
dn: olcMetaSub={0}ad,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}ad
olcDbURI: ldaps://dc.example.com/DC=ad,DC=example,DC=
com
olcDbIDAssertAuthzFrom: {0}dn.regex:.*
olcDbIDAssertBind: bindmethod=simple binddn="CN=user,OU=service user
s,DC=ad,dc=example,dc=com" credentials="XXXXXXXXXXXXXXXXXXXXXXXX
XXXXX" flags=override mode=none
olcDbMap: {0}objectclass inetOrgPerson user
olcDbMap: {1}attribute uid sAMAccountName
olcDbMap: {2}attribute entryUUID objectGUID
olcDbMap: {3}objectclass groupOfUniqueNames group
olcDbMap: {4}attribute uniqueMember member
olcDbChaseReferrals: FALSE
olcDbNoRefs: TRUE
olcDbProtocolVersion: 3
olcDbRebindAsUser: TRUE
structuralObjectClass: olcMetaTargetConfig
Now under dc=example,dc=com I get the OUs ad and hostname, with the latter holding the local accounts and the former showing the entries from AD, with the attributes I need mapped to their corresponding names in OpenLDAP.
2 Likes
Hey, that sounds great. A big Thank You for sharing this solution in such detail with us and the community!