From owner-freebsd-questions@FreeBSD.ORG Mon May 12 23:54:40 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89A0237B401 for ; Mon, 12 May 2003 23:54:40 -0700 (PDT) Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D49943FA3 for ; Mon, 12 May 2003 23:54:39 -0700 (PDT) (envelope-from kheuer2@gwdg.de) Received: from gwdu60.gwdg.de (localhost [127.0.0.1]) by gwdu60.gwdg.de (8.12.8p1/8.12.4) with ESMTP id h4D6sbJc020702; Tue, 13 May 2003 08:54:37 +0200 (CEST) (envelope-from kheuer2@gwdg.de) Received: from localhost (kheuer2@localhost)h4D6sbs7020699; Tue, 13 May 2003 08:54:37 +0200 (CEST) X-Authentication-Warning: gwdu60.gwdg.de: kheuer2 owned process doing -bs Date: Tue, 13 May 2003 08:54:37 +0200 (CEST) From: Konrad Heuer To: Guy Van Sanden In-Reply-To: <1052732623.8864.56.camel@horus> Message-ID: <20030513082901.Q15079-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Re: OpenLDAP authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2003 06:54:40 -0000 On 12 May 2003, Guy Van Sanden wrote: > I'm thinking of switching my NIS based network to OpenLDAP. > > My server is FreeBSD 5, it servers NIS, NFS home directories, mail, etc. > The clients are running Mandrake Linux 9.0 and 9.1, using MD5 passwords. > > I want to migrate the NIS maps to OpenLDAP (running on my FreeBSD > server), and have everything else authenticate against it. > > In a second phase, I would like to migrate the authentication to a > Kerberos 5 realm, with OpenLDAP. > I have no idea yet how to get this working, and if it causes problems > with the NFS server-clients. > > Any hints/tips or pointers to intersting documentation are very welcome. I'm working on OpenLDAP based authentication to replace NIS together with a colleague of mine. We don't use any NIS maps beside passwd.byname, passwd.byuid, group.byname and group.bygid, so we migrate only this information to OpenLDAP. The OpenLDAP server is running on FreeBSD 4.8-R; clients able to use the server for complete logins so far are (in our environment) running MacOS X Jaguar or SuSE Linux 8.1. Authentication alone has been successful on a FreeBSD 4.8 box, but NSS support is (as well known) missing here. Our server only supports SSL connections on port 636 to make sure that no clear text password transmission happens. Our experiences are: There are a sufficient number of more or less useful howto's you can "google" for, but still some pitfalls: * You seem to need an official SSL server certificate, otherwise Mac OS X and SuSE Linux clients won't trust the server. * I gave up connecting a Debian Linux system to the server because the precompiled Debian LDAP packages don't seem to support SSL encryption. I had no luck to compile the stuff by myself on the Debian box, but this may be my fault since my focus is on FreeBSD and not on Linux. * SuSE Linux clients expect that anonymous binds to the OpenLDAP server are possible. Mac OS X and FreeBSD clients (concerning pure authentication) behave different, but SuSE Linux seems to ignore any entries in ldap.conf concerning client authentication. Thus, you have to grant anonymous access to those data on the LDAP server which are equivalent to the data in /etc/passwd; the encrypted password can (and should be, of course) be protected against anonymous access! In the moment, we have no plans to use Kerberos. These are my experiences so far; it would be nice to read about those of others migrating to OpenLDAP ... Best regards Konrad Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany