From owner-freebsd-stable Thu Apr 22 2:48:50 1999 Delivered-To: freebsd-stable@freebsd.org Received: from mail.uct.ac.za (mail.uct.ac.za [137.158.128.3]) by hub.freebsd.org (Postfix) with ESMTP id 6689C14F99 for ; Thu, 22 Apr 1999 02:42:48 -0700 (PDT) (envelope-from dks@its.uct.ac.za) Received: from dks.its.uct.ac.za ([137.158.27.4] helo=its.uct.ac.za) by mail.uct.ac.za with esmtp (Exim 2.05 #10) id 10aFy1-0002MZ-00; Thu, 22 Apr 1999 11:40:21 +0200 Message-ID: <371EEE55.7F81B034@its.uct.ac.za> Date: Thu, 22 Apr 1999 11:39:34 +0200 From: Daniel Smith Organization: University of Cape Town X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG Cc: Sauder-News Subject: Re: FreeBSD and Novell References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Khetan Gajjar wrote: > Around Yesterday, "Sauder-News" wrote : > > SN> we would like to have acces to Novell's NDS thru LDAP NIS or any other way, like Solaris 2.5 via PAM does. > SN> anyone who have experience with access to NDS. > SN> We need to do authentication services for Squid Proxy and Sendmail userdatabase via Novell NDS. > > You could try mailing postmaster@mail.uct.ac.za > > They're using a Linux box with Simeon mail software to do account > existance, password parsing and the like through NDS. The setup we use consists of a stub library compiled into the application of your choice which gives an API of one function. This function takes parameters of an enum authentication type and then a string containing authentication-type specific parameters. The stub opens an SSL connection to another machine which is running what, for the sake of argument, I'll call an authentication agent. Using a basic protocol, the stub library passes the agent the "credentials" it got from the API call and gets back a yes or no on their validity; this is passed out of the API call as a 1 or a 0. We've hacked it this way so we can easily write the stubs in a language of choice - already got C and perl; can move the stubs between platforms with minimum recoding; can add new authentication methods with backward compatibility; are not tied to auth methods available on a given platform and, most importantly, can hide the complexities of, say, NDS authentication, or certificate chains from other programmers who want to use this system. Thusly, we've got NDS authentication via NT boxes for IMAP on Linux; bindery authentication for perl CGI scripts on FreeBSD and, again, NDS authentication via an apache auth module. We can bring in, say, client certificate stuff by simply writing a new authentication agent on a suitable platform. The code works happily on our production boxes but there's lots of room for improvement. I'm certain there are similar systems already out there *shrug* I imagine this is similar to the PAM stuff although I haven't had time to check yet. It's certainly got similarities to kerberos. Anyway, anyone who's got access to MSVC6; reasonable grasp of the Netware NDS API and SSL and can stand wading through my C is welcome to contact me for a copy of the source code :-) Cheers, Daniel. ----------------------------------------------------------- Daniel Smith Senior Systems Software Programmer University of Cape Town Systems Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message