Date: Tue, 13 May 2003 08:54:37 +0200 (CEST) From: Konrad Heuer <kheuer2@gwdg.de> To: Guy Van Sanden <n.b@myrealbox.com> Cc: freebsd-questions@freebsd.org Subject: Re: OpenLDAP authentication Message-ID: <20030513082901.Q15079-100000@gwdu60.gwdg.de> In-Reply-To: <1052732623.8864.56.camel@horus>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12 May 2003, Guy Van Sanden wrote: > I'm thinking of switching my NIS based network to OpenLDAP. > > My server is FreeBSD 5, it servers NIS, NFS home directories, mail, etc. > The clients are running Mandrake Linux 9.0 and 9.1, using MD5 passwords. > > I want to migrate the NIS maps to OpenLDAP (running on my FreeBSD > server), and have everything else authenticate against it. > > In a second phase, I would like to migrate the authentication to a > Kerberos 5 realm, with OpenLDAP. > I have no idea yet how to get this working, and if it causes problems > with the NFS server-clients. > > Any hints/tips or pointers to intersting documentation are very welcome. I'm working on OpenLDAP based authentication to replace NIS together with a colleague of mine. We don't use any NIS maps beside passwd.byname, passwd.byuid, group.byname and group.bygid, so we migrate only this information to OpenLDAP. The OpenLDAP server is running on FreeBSD 4.8-R; clients able to use the server for complete logins so far are (in our environment) running MacOS X Jaguar or SuSE Linux 8.1. Authentication alone has been successful on a FreeBSD 4.8 box, but NSS support is (as well known) missing here. Our server only supports SSL connections on port 636 to make sure that no clear text password transmission happens. Our experiences are: There are a sufficient number of more or less useful howto's you can "google" for, but still some pitfalls: * You seem to need an official SSL server certificate, otherwise Mac OS X and SuSE Linux clients won't trust the server. * I gave up connecting a Debian Linux system to the server because the precompiled Debian LDAP packages don't seem to support SSL encryption. I had no luck to compile the stuff by myself on the Debian box, but this may be my fault since my focus is on FreeBSD and not on Linux. * SuSE Linux clients expect that anonymous binds to the OpenLDAP server are possible. Mac OS X and FreeBSD clients (concerning pure authentication) behave different, but SuSE Linux seems to ignore any entries in ldap.conf concerning client authentication. Thus, you have to grant anonymous access to those data on the LDAP server which are equivalent to the data in /etc/passwd; the encrypted password can (and should be, of course) be protected against anonymous access! In the moment, we have no plans to use Kerberos. These are my experiences so far; it would be nice to read about those of others migrating to OpenLDAP ... Best regards Konrad Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030513082901.Q15079-100000>