Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch andmore (SoC)

On Fri, Aug 25, 2006 at 10:14:55AM +0400, Michael Bushkov wrote:
Tom McLaughlin wrote:
Will it also be possible to build openldap in base with SASL support?
My understanding is Windows AD environments by default require all
connections to be authenticated via kerberos. (It's also a requirement
for the samba+openldap+krb5 setup I'm doing for work. ;) I saw a
comment about adding support for krb5_ccname in the config file. That's
a very useful option in the PADL version so I'm guessing this was
written with supporting SASL in mind? Thanks.

tom

Hi,
sasl in OpenLDAP (and in nss_ldap) is supported in the way similar to
Sendmail:
CFLAGS+= ${OPENLDAP_CFLAGS}
LDFLAGS+= ${OPENLDAP_LDFLAGS}
LDADD+= ${OPENLDAP_LDADD}

By defining,
OPENLDAP_CFLAGS=-I/usr/local/include -DSASL
OPENLDAP_LDFLAGS=-L/usr/local/lib
OPENLDAP_LDADD=-lsasl
you'll enable sasl support both for OpenLDAP and nss_ldap.

Perhaps the point is: "should FreeBSD be able to authenticate against a
Windows Active Directory LDAP server out-of-the-box?" I know at least one
environment which would be very keen on this. OTOH, that environment has
decided to go with Red Hat Enterprise Linux now anyway :-(

But if this worked out-of-the-box, with a nice HOWTO document which
explained step-by-step how to do it, that would be great.

Then we just need a second HOWTO document which showed how to replace your
Windows AD server with OpenLDAP running under FreeBSD :-)

It's perhaps worth pointing out that if you're building this from scratch,
and you care about security, then it's going to be complex whichever way you
go. If you're using LDAP over TLS then you need to build a certificate
authority (or buy certificates for your machines); if you're using LDAP with
GSSAPI then you need a Kerberos infrastructure.

Oh, one other piece of the pie which I don't think has been mentioned - what
about getting sshd to retrieve its authorized keys via LDAP? I seem to
remember seeing some patches to openssh floating around for this a while
ago, but don't know if they ever made it into the standard tree.

Regards,

Brian.
_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Spacey Ambitions - Theyre KIDDING, Right ?
    ... rather than a benefit to your environment, ... you don't support the conservative Republican in office? ... :>Get resources and it will serve as a more economical means. ... here on Earth, and until and unless you do so, you ...
    (sci.space.policy)
  • Re: Spacey Ambitions - Theyre KIDDING, Right ?
    ... you don't support the conservative Republican in office? ... :>Get resources and it will serve as a more economical means. ... here on Earth, and until and unless you do so, you ... nor pollution of the environment. ...
    (sci.space.policy)
  • RE: Test environment for ActiveDirectoryMembershipProvider
    ... domain environment, since all its implementation are based on LDAP query. ... If only a standalone box, I'm afraid you have to use other membership ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)
  • OT Support Pro-Environment Candidates
    ... If we give these pro-environment Democrats the immediate help they need, we can win two of the most environmentally critical elections in the country. ... Support strong pro-environment Democratic candidates right now: ... That means they vote against the environment 7 out of every 10 chances they get. ...
    (rec.outdoors.fishing.fly)
  • Some damages impose, demand, and sort. Others vivaciously enquire.
    ... Lots of critics will be chronic misleading sunshines. ... favourite horrible retailers will confine undoubtably opposite ... It might penetrate the necessary support and operate it after its ... hardly equals a small environment at last Mark's environment. ...
    (sci.crypt)