[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP Backend Guide?

On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
> Hi,
> I'm looking to setup Heimdal with an OpenLDAP backend to use with a new
> OpenAFS deployment. Most of the guides/howtos I have found reference old
> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and older
> version of Heimdal. Is there a current guide out there? Or can anyone
> confirm that the steps listed in the heimdal documetation is still current?
> Any help would be much appreciated, thanks!
> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-t

The inaccuracies I see are:
- Does –hdb-openldap-module really work? I haven't succeeded with this (so 
heimdal in Mandriva depends on libldap).
-No patching is necessary
-The sasl-regexp needs to use a correctly normalized form, e.g.:

sasl-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" ....

-I haven't seen corruption of the krb5Key attribute (but I've only used 
hdb-ldap on OpenLDAP 2.3).
-I can't remember having seen hdb-ldap-structural-object do what it's supposed 
to do.
-The availability of the smbk5pwd overlay should probably be mentioned.

Besides these differences, no decent example is given for mapping 
non-local-root identities to DNs, I am using this:


> Also, is anyone here using a combination of Heimdal, OpenLDAP, Samba w/LDAP
> & OpenAFS. I would love to hear any feedback about this sort of setup...

I don't use AFS, but I have the rest working ok on my own machines (totalling 

In my opinion, the biggest problems with such a setup relate to different 
implementations of password policy enforcement (expiry, lockout, complexity) 
which are not adhered to by more than one technology. So, while OpenLDAP 
supports having multiple password policies (which are stored in-directory), 
Heimdal doesn't. The attributes all differ, and none of the technologies 
update all the attributes (Heimdal does update Samba's pwdLastSet attribute 
IIRC, maybe others) of any of the others (let alone all). I was hoping to 
improve this on the OpenLDAP side (since it has the most comprehensive 
password policy support), but haven't had enough time to spend on it. 
Progress on the Kerberos end to standardise LDAP attributes for 
Kerberos-related information would improve matters ...