[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenLDAP Backend Guide?
On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
> Hi,
>
> I'm looking to setup Heimdal with an OpenLDAP backend to use with a new
> OpenAFS deployment. Most of the guides/howtos I have found reference old
> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and older
> version of Heimdal. Is there a current guide out there? Or can anyone
> confirm that the steps listed in the heimdal documetation is still current?
> Any help would be much appreciated, thanks!
>
> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-t
>o-store-the-database
The inaccuracies I see are:
- Does –hdb-openldap-module really work? I haven't succeeded with this (so
heimdal in Mandriva depends on libldap).
-No patching is necessary
-The sasl-regexp needs to use a correctly normalized form, e.g.:
sasl-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" ....
-I haven't seen corruption of the krb5Key attribute (but I've only used
hdb-ldap on OpenLDAP 2.3).
-I can't remember having seen hdb-ldap-structural-object do what it's supposed
to do.
-The availability of the smbk5pwd overlay should probably be mentioned.
Besides these differences, no decent example is given for mapping
non-local-root identities to DNs, I am using this:
sasl-regexp
uid=(.*),cn=ranger.dnsalias.com,cn=gssapi,cn=auth
ldap:///dc=ranger,dc=dnsalias,dc=com??sub?
(krb5PrincipalName=$1@RANGER.DNSALIAS.COM)
> Also, is anyone here using a combination of Heimdal, OpenLDAP, Samba w/LDAP
> & OpenAFS. I would love to hear any feedback about this sort of setup...
I don't use AFS, but I have the rest working ok on my own machines (totalling
5).
In my opinion, the biggest problems with such a setup relate to different
implementations of password policy enforcement (expiry, lockout, complexity)
which are not adhered to by more than one technology. So, while OpenLDAP
supports having multiple password policies (which are stored in-directory),
Heimdal doesn't. The attributes all differ, and none of the technologies
update all the attributes (Heimdal does update Samba's pwdLastSet attribute
IIRC, maybe others) of any of the others (let alone all). I was hoping to
improve this on the OpenLDAP side (since it has the most comprehensive
password policy support), but haven't had enough time to spend on it.
Progress on the Kerberos end to standardise LDAP attributes for
Kerberos-related information would improve matters ...
Regards,
Buchan