From owner-freebsd-questions@FreeBSD.ORG Tue Mar 25 17:53:07 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F3F61065672 for ; Tue, 25 Mar 2008 17:53:07 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.239]) by mx1.freebsd.org (Postfix) with ESMTP id E84058FC18 for ; Tue, 25 Mar 2008 17:53:06 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: by qb-out-0506.google.com with SMTP id a10so6204542qbd.7 for ; Tue, 25 Mar 2008 10:53:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=Jif6XmNEBAvz6XMmq7Es7rZoFwNycmdKTYk3QUt9JOI=; b=AbFOJbC/ZN5vDmNP1cpeWthhwBGpe/NejL/+7t5UOp6HxLmXxiq+Ds+eaO9v8d9mw6muwrioMioDGlPNQaNo9X3WSWqf9NkQJJtH0Q1yof4ShMzQ+FBPOaVJDl26CpeOmX/TkgsPtltHwjAuJ8ZjpDfqDFnVS/lkdXozzXTpZ7U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Hali4+645woFzZIQglNVpD9v4YT4N4OKcMjuAnmlPQ+eXCL2zwoGEY6xhefXqYYEAESHvZOGpAk3tzfNuwK5bsWf8xK0dtXJYG5fVyHBjLHEfXd+aqjOg63tfKR6SEhTkzfuXJc22PCFamGT8NctTrfAVjdHSr9Hae1VqBZ+cvc= Received: by 10.110.11.10 with SMTP id 10mr3374154tik.44.1206467585048; Tue, 25 Mar 2008 10:53:05 -0700 (PDT) Received: by 10.110.3.13 with HTTP; Tue, 25 Mar 2008 10:53:05 -0700 (PDT) Message-ID: <5635aa0d0803251053r47802654m37bee99966152949@mail.gmail.com> Date: Wed, 26 Mar 2008 00:53:05 +0700 From: "Outback Dingo" To: "Christopher Sean Hilton" In-Reply-To: <6325AD65-1AA1-4E62-A31B-2479FE38DCA8@vindaloo.com> MIME-Version: 1.0 References: <8f82c35c0803231523i52e55906tfd3cf96b36fe70d7@mail.gmail.com> <8f82c35c0803231526n5a429cb5t1c81a7f98dfb19ea@mail.gmail.com> <8f82c35c0803241540k36c8d551tfcfd172d6a4a7f9b@mail.gmail.com> <6325AD65-1AA1-4E62-A31B-2479FE38DCA8@vindaloo.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Jon Theil Nielsen , freebsd-questions@freebsd.org Subject: Re: A general purpose LDAP solution? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 17:53:07 -0000 GOSA is another nice feature full LDAP manager in PHP, does samba, dns, mail, web, asterisk etc etc etc On Wed, Mar 26, 2008 at 12:02 AM, Christopher Sean Hilton < chris@vindaloo.com> wrote: > > On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote: > > > I asked this on freebsd-net@ but got no replies. So now I ask the same > > question here. > >> Hi list! > >> > >> I have speculated a lot about implementation of (Open)LDAP on my > >> sever. By I haven't yet found the right (and logical) way to do it. > >> I'm running FreeBSD 7.0-Release with some different server > >> applications > >> - Samba PDC > >> - Virtual mail server (Postfix, MySQL, Courier-IMAP) > >> - VPN (currently with mpd4) > >> - Apache-2.2.8 web server (with PHP and MySQL) > >> I would like to implement LDAP for: > >> - authentication of UNIX/login users > >> - authentication of Samba users > >> - authentication/authorization of virtual mail users > >> For the first part, I got useful information from a previsous thread > >> ( > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html > >> ) > >> and for the second part, i guess there is sufficient howtos to make > >> it > >> work. > >> > > Tim Judd's advice is good for a start. I'm currently using ldap for > authentication of: > > Jabber (directly) > WebDAV (through Apache2's mod_auth_ldap) > inbound email (imap/pop) > outbound email (smtp+auth) > > As a general rule the experience has been very positive. The biggest > issues that I've run into are maintenance of the underlying ldap > database which involves keeping tiny ldif files scattered around. > Certainly the biggest hassle is in doing ldapadd and ldapmodify from > the command line with all the torturous options that you have to > provide (BindDn, BindPassword, TargetDN). > > Nonetheless it's been a generally positive experience. In looking at > your list of applications it seems that most of them will support ldap > authentication directly. Mpd4 doesn't but it does support Radius so it > looks like you'll have to build radius to authenticate against LDAP > and then have mpd4 authenticate against radius. SMTP is similar. It > doesn't support authentication via LDAP directly. It uses SASL which > can also authenticate against LDAP. > > >> My biggest question right now is if is possible to combine all three > >> things in one data structure. And which in which order I should make > >> the different implimentions. > >> Excuse my total lack of understanding, but is it possible to have a > >> structure with a superior unit such as OU= which > >> could contain several virtual domains and the actual doamin for my > >> PDC? > >> > > The answer to this question would be a set of non-conflicting ldap > schemas to support the functions that you need. If your needs are > simple authentication the schemas that ship with openldap will provide > fruit. If you want to make ldap your database for delivering mail to > virtual users there are a few path's out there. Courier had/has a > schema for supporting virtual users that could be banged into shape > but if I recall correctly it's support for keeping virtual domain > information in ldap is lacking. Phamm, /usr/ports/net/phamm completely > supports virtual domains and virtual users including delegation of > user management. E.g. the user hostmaster@example.com can reset > passwords for @example.com. Phamm also has a neat web interface > for administration. However, when I was setting it up I found it more > overly complex for my needs. Like using a Formula 1 car for a grocery > run. However I think that it even works with the Samba schema so it > may be exactly what you want. > > >> -- > >> Jon Theil Nielsen > > > > Oh, i forgot one more thing: I would also like to be able to > > authenticate VPN users the same way. > > mpd4 + radius + ldap should get you where you want to be. > > -- Chris > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >