Is it possible to connect to external OpenLDAP without storing?

By: Hao Bin Kwan Account Admin 03 Mar 2017 at 4:13 a.m. CST

5 Responses
Hao Bin Kwan gravatar
Hi Support, We would like to use Gluu's IDP to connect to our external OpenLDAP but not storing the users in Gluu, is it possible? I managed to use Cache Refresh to achieve that but the Refresh Method is "Copy" which means the users are actually 'imported' into Gluu which we are trying to avoid that. Besides, I also tried disable Cache Refresh and change LDAP authentication to my own test OpenLDAP and apparently I'm not able to login to GLuu admin ui anymore with any user in my OpenLDAP, neither can I authenticate with any SP. Additionally, we also would like to retrieve attributes from external LDAP to be released to SP. Any help is much appreciated!
CentOS72
closed

Answers

By Hao Bin Kwan Account Admin 03 Mar 2017 at 4:53 a.m. CST

Copy
Hao Bin Kwan gravatar
I have another question somewhat related to the original question above. Both are our main concerns. We're using saml interception script (https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/saml) to redirect users to Asimba Proxy and authenticate with external IDP, however we prefer to **not** create a local ldap entry for each new inbound SAML user. But the property saml_deployment_type has only these values (map/enroll/enroll_all_attr) available which all will create a local ldap entry. How can we prevent that? ie. not storing any user in Gluu. Thanks, Kwan.

By Mohib Zico Account Admin 03 Mar 2017 at 6:09 a.m. CST

Copy
Mohib Zico gravatar
If you run Cache Refresh, there is no way you can avoid caching user's information inside 'ou=people' tree of Gluu Server. However for your case.. you can take out ldap server totally out of Gluu Server. Like some remote ldap server sitting in some trusted place and Gluu will use to store it's configuration and data there inside of that remote ldap server. In that case, you won't use 'localhost:1636' anywhere but you will use remote_server:1636 in all configurations of Gluu Server.

By Hao Bin Kwan Account Admin 03 Mar 2017 at 11:59 a.m. CST

Copy
Hao Bin Kwan gravatar
Hi Mohib, If I understand you correctly, I have to copy gluu configuration data to my existing openldap server? Is there any documentation for it? Thanks.

By Hao Bin Kwan Account Admin 07 Mar 2017 at 3:26 a.m. CST

Copy
Hao Bin Kwan gravatar
Hi, Second part of question: > But the property saml_deployment_type has only these values (map/enroll/enroll_all_attr) available which all will create a local ldap entry. How can we prevent that? ie. not storing any user in Gluu. Can we somehow achieve this without storing user & attributes in Gluu? Otherwise, how can 'enroll' keep an up-to-date attributes (for users who already exists in Gluu), whenever there is update in external IDP? Thank you.

By Mohib Zico Account Admin 07 Mar 2017 at 3:35 a.m. CST

Copy
Mohib Zico gravatar
Hi Hao, >> If I understand you correctly, I have to copy gluu configuration data to my existing openldap server? Yes. >> Is there any documentation for it? Sorry, nothing public yet. We have customers who did that and there are internal documentations. May be we will publish one for public access soon. >> Can we somehow achieve this without storing user & attributes in Gluu? Otherwise, how can 'enroll' keep an up-to-date attributes (for users who already exists in Gluu), whenever there is update in external IDP? Yes, there is should some value like 'not_enrolled' or something like that which won't save data. We might need to tweak [script](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/asimba) a bit for that.

Post an answer