[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenLDAP Backend Guide?
31 mar 2008 kl. 18.53 skrev Buchan Milne:
> On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
>> Hi,
>>
>> I'm looking to setup Heimdal with an OpenLDAP backend to use with a
>> new
>> OpenAFS deployment. Most of the guides/howtos I have found
>> reference old
>> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and
>> older
>> version of Heimdal. Is there a current guide out there? Or can anyone
>> confirm that the steps listed in the heimdal documetation is still
>> current?
>> Any help would be much appreciated, thanks!
>>
>> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-t
>> o-store-the-database
>
> The inaccuracies I see are:
> - Does –hdb-openldap-module really work? I haven't succeeded with
> this (so
> heimdal in Mandriva depends on libldap).
It did work, will put up an item todo before heimdal 1.2.
> -No patching is necessary
Thanks fixed the documentation.
>
> -The sasl-regexp needs to use a correctly normalized form, e.g.:
>
> sasl-regexp "gidNumber=0\\\
> +uidNumber=0,cn=peercred,cn=external,cn=auth" ....
Already fixed, thanks.
> -I haven't seen corruption of the krb5Key attribute (but I've only
> used
> hdb-ldap on OpenLDAP 2.3).
> -I can't remember having seen hdb-ldap-structural-object do what
> it's supposed
> to do.
Hmmm, I guess I need to check this too and write some tests for it?
>
> -The availability of the smbk5pwd overlay should probably be
> mentioned.
Can you propose a text ?
> Besides these differences, no decent example is given for mapping
> non-local-root identities to DNs, I am using this:
>
> sasl-regexp
> uid=(.*),cn=ranger.dnsalias.com,cn=gssapi,cn=auth
> ldap:///dc=ranger,dc=dnsalias,dc=com??sub?
> (krb5PrincipalName=$1@RANGER.DNSALIAS.COM)
Can you provide more text about this ? It sound very useful.
>> Also, is anyone here using a combination of Heimdal, OpenLDAP,
>> Samba w/LDAP
>> & OpenAFS. I would love to hear any feedback about this sort of
>> setup...
>
> I don't use AFS, but I have the rest working ok on my own machines
> (totalling
> 5).
>
> In my opinion, the biggest problems with such a setup relate to
> different
> implementations of password policy enforcement (expiry, lockout,
> complexity)
> which are not adhered to by more than one technology. So, while
> OpenLDAP
> supports having multiple password policies (which are stored in-
> directory),
> Heimdal doesn't. The attributes all differ, and none of the
> technologies
> update all the attributes (Heimdal does update Samba's pwdLastSet
> attribute
> IIRC, maybe others) of any of the others (let alone all). I was
> hoping to
> improve this on the OpenLDAP side (since it has the most comprehensive
> password policy support), but haven't had enough time to spend on it.
> Progress on the Kerberos end to standardise LDAP attributes for
> Kerberos-related information would improve matters ...
Is there a easy way to feed back to password updates though the openldap
and that way make kadmin/kpasswdd use that service instead of doing it
own ldap updates ?
Love