[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP Backend Guide?

31 mar 2008 kl. 18.53 skrev Buchan Milne:

> On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
>> Hi,
>> I'm looking to setup Heimdal with an OpenLDAP backend to use with a  
>> new
>> OpenAFS deployment. Most of the guides/howtos I have found  
>> reference old
>> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and  
>> older
>> version of Heimdal. Is there a current guide out there? Or can anyone
>> confirm that the steps listed in the heimdal documetation is still  
>> current?
>> Any help would be much appreciated, thanks!
>> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-t
>> o-store-the-database
> The inaccuracies I see are:
> - Does –hdb-openldap-module really work? I haven't succeeded with  
> this (so
> heimdal in Mandriva depends on libldap).

It did work, will put up an item todo before heimdal 1.2.

> -No patching is necessary

Thanks fixed the documentation.

> -The sasl-regexp needs to use a correctly normalized form, e.g.:
> sasl-regexp "gidNumber=0\\\ 
> +uidNumber=0,cn=peercred,cn=external,cn=auth" ....

Already fixed, thanks.

> -I haven't seen corruption of the krb5Key attribute (but I've only  
> used
> hdb-ldap on OpenLDAP 2.3).
> -I can't remember having seen hdb-ldap-structural-object do what  
> it's supposed
> to do.

Hmmm, I guess I need to check this too and write some tests for it?

> -The availability of the smbk5pwd overlay should probably be  
> mentioned.

Can you propose a text ?

> Besides these differences, no decent example is given for mapping
> non-local-root identities to DNs, I am using this:
> sasl-regexp
>          uid=(.*),cn=ranger.dnsalias.com,cn=gssapi,cn=auth
>          ldap:///dc=ranger,dc=dnsalias,dc=com??sub?
> (krb5PrincipalName=$1@RANGER.DNSALIAS.COM)

Can you provide more text about this ? It sound very useful.

>> Also, is anyone here using a combination of Heimdal, OpenLDAP,  
>> Samba w/LDAP
>> & OpenAFS. I would love to hear any feedback about this sort of  
>> setup...
> I don't use AFS, but I have the rest working ok on my own machines  
> (totalling
> 5).
> In my opinion, the biggest problems with such a setup relate to  
> different
> implementations of password policy enforcement (expiry, lockout,  
> complexity)
> which are not adhered to by more than one technology. So, while  
> OpenLDAP
> supports having multiple password policies (which are stored in- 
> directory),
> Heimdal doesn't. The attributes all differ, and none of the  
> technologies
> update all the attributes (Heimdal does update Samba's pwdLastSet  
> attribute
> IIRC, maybe others) of any of the others (let alone all). I was  
> hoping to
> improve this on the OpenLDAP side (since it has the most comprehensive
> password policy support), but haven't had enough time to spend on it.
> Progress on the Kerberos end to standardise LDAP attributes for
> Kerberos-related information would improve matters ...

Is there a easy way to feed back to password updates though the openldap
and that way make kadmin/kpasswdd use that service instead of doing it
own ldap updates ?