From owner-freebsd-questions@FreeBSD.ORG Tue Mar 25 17:03:03 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8425A1065671 for ; Tue, 25 Mar 2008 17:03:03 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from corellia.vindaloo.com (corellia.vindaloo.com [64.51.148.100]) by mx1.freebsd.org (Postfix) with ESMTP id 3D56B8FC1D for ; Tue, 25 Mar 2008 17:03:03 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from hadar.vindaloo.com (hadar.vindaloo.com [172.24.145.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by corellia.vindaloo.com (Postfix) with ESMTP id 08BDF5CD7; Tue, 25 Mar 2008 13:02:59 -0400 (EDT) Message-Id: <6325AD65-1AA1-4E62-A31B-2479FE38DCA8@vindaloo.com> From: Christopher Sean Hilton To: Jon Theil Nielsen In-Reply-To: <8f82c35c0803241540k36c8d551tfcfd172d6a4a7f9b@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 25 Mar 2008 13:02:59 -0400 References: <8f82c35c0803231523i52e55906tfd3cf96b36fe70d7@mail.gmail.com> <8f82c35c0803231526n5a429cb5t1c81a7f98dfb19ea@mail.gmail.com> <8f82c35c0803241540k36c8d551tfcfd172d6a4a7f9b@mail.gmail.com> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-questions@freebsd.org Subject: Re: A general purpose LDAP solution? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 17:03:03 -0000 On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote: > I asked this on freebsd-net@ but got no replies. So now I ask the same > question here. >> Hi list! >> >> I have speculated a lot about implementation of (Open)LDAP on my >> sever. By I haven't yet found the right (and logical) way to do it. >> I'm running FreeBSD 7.0-Release with some different server >> applications >> - Samba PDC >> - Virtual mail server (Postfix, MySQL, Courier-IMAP) >> - VPN (currently with mpd4) >> - Apache-2.2.8 web server (with PHP and MySQL) >> I would like to implement LDAP for: >> - authentication of UNIX/login users >> - authentication of Samba users >> - authentication/authorization of virtual mail users >> For the first part, I got useful information from a previsous thread >> (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html >> ) >> and for the second part, i guess there is sufficient howtos to make >> it >> work. >> Tim Judd's advice is good for a start. I'm currently using ldap for authentication of: Jabber (directly) WebDAV (through Apache2's mod_auth_ldap) inbound email (imap/pop) outbound email (smtp+auth) As a general rule the experience has been very positive. The biggest issues that I've run into are maintenance of the underlying ldap database which involves keeping tiny ldif files scattered around. Certainly the biggest hassle is in doing ldapadd and ldapmodify from the command line with all the torturous options that you have to provide (BindDn, BindPassword, TargetDN). Nonetheless it's been a generally positive experience. In looking at your list of applications it seems that most of them will support ldap authentication directly. Mpd4 doesn't but it does support Radius so it looks like you'll have to build radius to authenticate against LDAP and then have mpd4 authenticate against radius. SMTP is similar. It doesn't support authentication via LDAP directly. It uses SASL which can also authenticate against LDAP. >> My biggest question right now is if is possible to combine all three >> things in one data structure. And which in which order I should make >> the different implimentions. >> Excuse my total lack of understanding, but is it possible to have a >> structure with a superior unit such as OU= which >> could contain several virtual domains and the actual doamin for my >> PDC? >> The answer to this question would be a set of non-conflicting ldap schemas to support the functions that you need. If your needs are simple authentication the schemas that ship with openldap will provide fruit. If you want to make ldap your database for delivering mail to virtual users there are a few path's out there. Courier had/has a schema for supporting virtual users that could be banged into shape but if I recall correctly it's support for keeping virtual domain information in ldap is lacking. Phamm, /usr/ports/net/phamm completely supports virtual domains and virtual users including delegation of user management. E.g. the user hostmaster@example.com can reset passwords for @example.com. Phamm also has a neat web interface for administration. However, when I was setting it up I found it more overly complex for my needs. Like using a Formula 1 car for a grocery run. However I think that it even works with the Samba schema so it may be exactly what you want. >> -- >> Jon Theil Nielsen > > Oh, i forgot one more thing: I would also like to be able to > authenticate VPN users the same way. mpd4 + radius + ldap should get you where you want to be. -- Chris