Authenticating against multiple LDAP servers

We have two LDAP sources that contain users that need to be authenticated with SCM-Manager, an Active Directory and an OpenLDAP server. With SCM-Manager 1.x we used the Crowd connector plugin to authenticate against our Crowd instance, but this plugin is not available for SCM-Manager 2.x and the author doesn’t show any interest to update it for 2.x.

Is there any way to allow SCM-Manager to authenticate against more than one LDAP server? I tried creating a copy of the plugin directory and editing the .xml file to modify paths and identifier to be able to configure it a second time, but I guess it contains some hard coded paths, at least the .xml file where the configuration of the plugin is stored couldn’t be changed.

1 Like

Hi @geschnei

thank you for your feature / port request :slight_smile:

We would like to offer a port of the Crowd Plugin soon.
However, this will no longer be for version 2.x, but for 3.x. You can already find out what a changeover means for you here: https://scm-manager.org/blog/posts/2024-01-30-scm-manager-3-0-0/

Stay tuned, hopefully I can share more information soon.

1 Like

I found a working solution by adding an additional meta database to the existing OpenLDAP server with a DN above the existing database and adding the attribute olcSubordinate: TRUE to the existing database.

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb.la
olcModuleLoad: {1}back_meta.la
olcModuleLoad: {2}back_ldap
olcModuleLoad: {3}rwm

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=hostname,dc=example,dc=com
structuralObjectClass: olcHdbConfig
olcSubordinate: TRUE

dn: olcDatabase={2}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {2}meta
olcSuffix: dc=example,dc=com
olcDbOnErr: continue
olcDbCancel: abandon
olcDbTFSupport: no
structuralObjectClass: olcMetaConfig

dn: olcMetaSub={0}ad,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}ad
olcDbURI: ldaps://dc.example.com/DC=ad,DC=example,DC=
 com
olcDbIDAssertAuthzFrom: {0}dn.regex:.*
olcDbIDAssertBind: bindmethod=simple binddn="CN=user,OU=service user
 s,DC=ad,dc=example,dc=com" credentials="XXXXXXXXXXXXXXXXXXXXXXXX
 XXXXX" flags=override mode=none
olcDbMap: {0}objectclass inetOrgPerson user
olcDbMap: {1}attribute uid sAMAccountName
olcDbMap: {2}attribute entryUUID objectGUID
olcDbMap: {3}objectclass groupOfUniqueNames group
olcDbMap: {4}attribute uniqueMember member
olcDbChaseReferrals: FALSE
olcDbNoRefs: TRUE
olcDbProtocolVersion: 3
olcDbRebindAsUser: TRUE
structuralObjectClass: olcMetaTargetConfig

Now under dc=example,dc=com I get the OUs ad and hostname, with the latter holding the local accounts and the former showing the entries from AD, with the attributes I need mapped to their corresponding names in OpenLDAP.

2 Likes

Hey, that sounds great. A big Thank You for sharing this solution in such detail with us and the community!