How to configure Gluu SSO for sending the authentication request to a backend LDAP

By: valsaraj viswanathan user 23 Oct 2017 at 2:31 a.m. CDT

6 Responses
valsaraj viswanathan gravatar
Is there any option to use our LDAP server instead of Gluu LDAP for Gluu SSO authentication?
CentOS 7.0
closed

Answers

By Aliaksandr Samuseu staff 23 Oct 2017 at 7 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Valsaraj. To use LDAP backend for authentication you need 2 things: 1. Configure synchronisation between Gluu and the backend: [docs](https://gluu.org/docs/ce/3.1.1/user-management/ldap-sync/) 2. Configure authentication: [docs](https://gluu.org/docs/ce/3.1.1/authn-guide/basic/#basic-authentication-using-remote-ldap-backends)

By valsaraj viswanathan user 23 Oct 2017 at 7:28 a.m. CDT

Copy
valsaraj viswanathan gravatar
Is it possible without first step? Can we avoid sync & directly authenticate against backend LDAP?

By Aliaksandr Samuseu staff 23 Oct 2017 at 7:34 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
No, Gluu aggregates all users' data in its internal LDAP server and uses it to serve requests, regardless of what method of authentication is used. So you always need some kind of synchronisation with your remote user databases.

By Michael Schwartz Account Admin 23 Oct 2017 at 9:20 a.m. CDT

Copy
Michael Schwartz gravatar
Valsaraj, You have two options: 1. Use cache refresh, sync the users, but not the passwords with your backend server. 2. Write a custom authentication script, send the authentication to the backend LDAP... if the user is not also found locally, add (without the password). In other words, do dynamic enrollment. - Mike

By valsaraj viswanathan user 23 Oct 2017 at 10:43 a.m. CDT

Copy
valsaraj viswanathan gravatar
Hi Mike, Is there any sample available for custom authentication script? Thanks!

By Aliaksandr Samuseu staff 23 Oct 2017 at 10:49 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Valsaraj, you can find a whole set of scripts existing at the moment [here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations). Please note what Michael mentioned, though - whatever of them you'll choose, you still need to ensure a cached entry of each user exists locally in Gluu's LDAP (so, at least you'll need to do dynamic enrolment he suggested; for examples of it you may check `gplus`, `duo` or `saml` scripts, to name a few)

Post an answer