Date: Tue, 25 Mar 2008 13:02:59 -0400 From: Christopher Sean Hilton <chris@vindaloo.com> To: Jon Theil Nielsen <jontheil@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: A general purpose LDAP solution? Message-ID: <6325AD65-1AA1-4E62-A31B-2479FE38DCA8@vindaloo.com> In-Reply-To: <8f82c35c0803241540k36c8d551tfcfd172d6a4a7f9b@mail.gmail.com> References: <8f82c35c0803231523i52e55906tfd3cf96b36fe70d7@mail.gmail.com> <8f82c35c0803231526n5a429cb5t1c81a7f98dfb19ea@mail.gmail.com> <8f82c35c0803241540k36c8d551tfcfd172d6a4a7f9b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote: > I asked this on freebsd-net@ but got no replies. So now I ask the same > question here. >> Hi list! >> >> I have speculated a lot about implementation of (Open)LDAP on my >> sever. By I haven't yet found the right (and logical) way to do it. >> I'm running FreeBSD 7.0-Release with some different server >> applications >> - Samba PDC >> - Virtual mail server (Postfix, MySQL, Courier-IMAP) >> - VPN (currently with mpd4) >> - Apache-2.2.8 web server (with PHP and MySQL) >> I would like to implement LDAP for: >> - authentication of UNIX/login users >> - authentication of Samba users >> - authentication/authorization of virtual mail users >> For the first part, I got useful information from a previsous thread >> (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html >> ) >> and for the second part, i guess there is sufficient howtos to make >> it >> work. >> Tim Judd's advice is good for a start. I'm currently using ldap for authentication of: Jabber (directly) WebDAV (through Apache2's mod_auth_ldap) inbound email (imap/pop) outbound email (smtp+auth) As a general rule the experience has been very positive. The biggest issues that I've run into are maintenance of the underlying ldap database which involves keeping tiny ldif files scattered around. Certainly the biggest hassle is in doing ldapadd and ldapmodify from the command line with all the torturous options that you have to provide (BindDn, BindPassword, TargetDN). Nonetheless it's been a generally positive experience. In looking at your list of applications it seems that most of them will support ldap authentication directly. Mpd4 doesn't but it does support Radius so it looks like you'll have to build radius to authenticate against LDAP and then have mpd4 authenticate against radius. SMTP is similar. It doesn't support authentication via LDAP directly. It uses SASL which can also authenticate against LDAP. >> My biggest question right now is if is possible to combine all three >> things in one data structure. And which in which order I should make >> the different implimentions. >> Excuse my total lack of understanding, but is it possible to have a >> structure with a superior unit such as OU=<some organization> which >> could contain several virtual domains and the actual doamin for my >> PDC? >> The answer to this question would be a set of non-conflicting ldap schemas to support the functions that you need. If your needs are simple authentication the schemas that ship with openldap will provide fruit. If you want to make ldap your database for delivering mail to virtual users there are a few path's out there. Courier had/has a schema for supporting virtual users that could be banged into shape but if I recall correctly it's support for keeping virtual domain information in ldap is lacking. Phamm, /usr/ports/net/phamm completely supports virtual domains and virtual users including delegation of user management. E.g. the user hostmaster@example.com can reset passwords for <user>@example.com. Phamm also has a neat web interface for administration. However, when I was setting it up I found it more overly complex for my needs. Like using a Formula 1 car for a grocery run. However I think that it even works with the Samba schema so it may be exactly what you want. >> -- >> Jon Theil Nielsen > > Oh, i forgot one more thing: I would also like to be able to > authenticate VPN users the same way. mpd4 + radius + ldap should get you where you want to be. -- Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6325AD65-1AA1-4E62-A31B-2479FE38DCA8>