From owner-freebsd-questions@FreeBSD.ORG Thu Feb 14 18:39:40 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4340716A468 for ; Thu, 14 Feb 2008 18:39:40 +0000 (UTC) (envelope-from jontheil@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 1D23813C45D for ; Thu, 14 Feb 2008 18:39:39 +0000 (UTC) (envelope-from jontheil@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so720682waf.3 for ; Thu, 14 Feb 2008 10:39:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=KkuYNmc45wwhVwb7FfSvhxCFvi2mABN+ZJqWF8zs9i0=; b=NtPX/Z6+Oh7tTQb4t9JYee679x/Ay831ZMhIRUrknT6q7RrTiecHrzlOKGgx/DjJ6d9V8hMorB/fvmp0RzVCbTXsG4ScTsopMxQ3QddCgoVePWR2YxIeyR/gHlDQPCdATVsniv2DmxRmfpP17ZoIuE1DMmAqIb5HhkwOX3Ve/Xk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PyWtDhE6JuINXRBfvDEHcPEilPauvtmtKx5aPe82hh88aUnuOtlG7K+Eh0mQa9GZsBIkAY3APSu7hgAdadAm8JvspGpNEe+/L23MOypJBd3P8Uw6yOOcyFkrATU4rsT3MM/ltIWRBVhOvq1T0xjcqFTXKWY24tB3FBpfuG8i3A0= Received: by 10.114.121.1 with SMTP id t1mr1925623wac.67.1203014378977; Thu, 14 Feb 2008 10:39:38 -0800 (PST) Received: by 10.114.168.6 with HTTP; Thu, 14 Feb 2008 10:39:38 -0800 (PST) Message-ID: <8f82c35c0802141039j1b9338b9n7d4e436c4c6b3707@mail.gmail.com> Date: Thu, 14 Feb 2008 19:39:38 +0100 From: "Jon Theil Nielsen" To: Dave In-Reply-To: <000701c86f18$0dadeea0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8f82c35c0802131110l7c678965qe6d0c3432f008254@mail.gmail.com> <000301c86ed2$17177560$0200a8c0@satellite> <8f82c35c0802140420w57a1d5dfpd12b86e57efd585d@mail.gmail.com> <000701c86f18$0dadeea0$0200a8c0@satellite> X-Mailman-Approved-At: Thu, 14 Feb 2008 18:52:04 +0000 Cc: Subject: Re: LDAP user authentication? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2008 18:39:40 -0000 2008/2/14, Dave : > Hi, > Actually i'm only using jails, because i haven't got all the bugs worked > out yet and when i do i'm going to just copy the files over and go > production. Other than that these files will work for a freebsd system. In > brief you'll need openldap server and client ports, i'm using 2.4, pam_ldap > port and nss_ldap port. Go configure all that and that'll do it, take it in > stages, slapd first, the ldap client next, then either pam_ldap or nss_ldap, > one thing you'll definitely want is tls encryption, can't help with that as > i'm still trying to get that working. > If you need any help let me know, i'll do what i can. > > Dave. > > ----- Original Message ----- > From: "Jon Theil Nielsen" > > To: "Dave" > Cc: > Sent: Thursday, February 14, 2008 7:20 AM > Subject: Re: LDAP user authentication? > > > >> >I have googled for a very long time, but I haven't found any useful > >> > howto on this issue. Well, there is > >> > > >> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html > >> > but that seems to be a bit confusing an not up-to-date. I guess it > >> > _should_ be possible - and indeed very useful (especially combinde > >> > with Samba PDC and an easily maintainlable mail server). So please, if > >> > you have any experiences or knowledge of a useful description..! > >> > > >> > Regards, > >> > Jon Theil Nielsen > > > > > > 2008/2/14, Dave : > >> Hi, > >> I am far from an expert, in fact i'm still learning. I don't know a > >> lot > >> of the jargon, that is i still get the more intense terms mixed up, but > >> i've > >> been banging my head against ldap for about a month now and am starting > >> to > >> show results. Right now i'm using ldap in jails on freebsd 6.2 as i > >> don't > >> have all the bugs worked out to go production. I've got a directory that > >> is > >> a user addressbook as well as handles authentication of users, both for > >> the > >> jailed ldap server, but for two other jailed environments, one the ldap > >> client, the other just a test machine. I've also authenticated a linux > >> box > >> against this server that works fine with a few tweaks. Right now i've > >> got a > >> jail specifically for testmail setup i'm going to try to hook in email > >> services, pop/imap, smtp, etc. in to ldap. > >> If you have im abilities i can talk more there, but basically it's > >> definitely not trivial to get going, in my opinion others might differ. > >> Dave. > >> Thanks a lot. That might be interesting. TLS might not be that vital, since I'm mostly thinking of a solution on my own servers and primarily only on the central one. When I was on Linux, PAM was almost a most, but I think it is different on FreeBSD, so I guess I would prefer the solution with nss_ldap. Your are right, nothing severe will happen if I try to get the LDAP server and client up and running in the first place. As far as I remember, the most critical issue was how to initialize the database and how to make a reasonable structure suited for both user authentication, Samba and some mail server. Right now I have to parallel structures, one for Samba/system users and one for (virtual) mail users. I still wonder why a "universal" implementation of LDAP authentication on FreeBSD is not described anywhere. But if I find the time and energy, I migth try to experiment on my own and might also return to you if a have more specific issues. Regards, Jon