[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP Backend Guide?

To: heimdal-discuss@sics.se, Buchan Milne <bgmilne@mandriva.org>
Subject: Re: OpenLDAP Backend Guide?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 1 Apr 2008 09:40:03 +0200
Cc: billbaird3 <billbaird3@gmail.com>
In-Reply-To: <200803311853.50741.bgmilne@mandriva.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <16331158.post@talk.nabble.com> <200803311853.50741.bgmilne@mandriva.org>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>


31 mar 2008 kl. 18.53 skrev Buchan Milne:

> On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
>> Hi,
>>
>> I'm looking to setup Heimdal with an OpenLDAP backend to use with a  
>> new
>> OpenAFS deployment. Most of the guides/howtos I have found  
>> reference old
>> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and  
>> older
>> version of Heimdal. Is there a current guide out there? Or can anyone
>> confirm that the steps listed in the heimdal documetation is still  
>> current?
>> Any help would be much appreciated, thanks!
>>
>> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-t
>> o-store-the-database
>
> The inaccuracies I see are:
> - Does –hdb-openldap-module really work? I haven't succeeded with  
> this (so
> heimdal in Mandriva depends on libldap).

It did work, will put up an item todo before heimdal 1.2.

> -No patching is necessary

Thanks fixed the documentation.

>
> -The sasl-regexp needs to use a correctly normalized form, e.g.:
>
> sasl-regexp "gidNumber=0\\\ 
> +uidNumber=0,cn=peercred,cn=external,cn=auth" ....

Already fixed, thanks.

> -I haven't seen corruption of the krb5Key attribute (but I've only  
> used
> hdb-ldap on OpenLDAP 2.3).
> -I can't remember having seen hdb-ldap-structural-object do what  
> it's supposed
> to do.

Hmmm, I guess I need to check this too and write some tests for it?

>
> -The availability of the smbk5pwd overlay should probably be  
> mentioned.

Can you propose a text ?

> Besides these differences, no decent example is given for mapping
> non-local-root identities to DNs, I am using this:
>
> sasl-regexp
>          uid=(.*),cn=ranger.dnsalias.com,cn=gssapi,cn=auth
>          ldap:///dc=ranger,dc=dnsalias,dc=com??sub?
> (krb5PrincipalName=$1@RANGER.DNSALIAS.COM)

Can you provide more text about this ? It sound very useful.

>> Also, is anyone here using a combination of Heimdal, OpenLDAP,  
>> Samba w/LDAP
>> & OpenAFS. I would love to hear any feedback about this sort of  
>> setup...
>
> I don't use AFS, but I have the rest working ok on my own machines  
> (totalling
> 5).
>
> In my opinion, the biggest problems with such a setup relate to  
> different
> implementations of password policy enforcement (expiry, lockout,  
> complexity)
> which are not adhered to by more than one technology. So, while  
> OpenLDAP
> supports having multiple password policies (which are stored in- 
> directory),
> Heimdal doesn't. The attributes all differ, and none of the  
> technologies
> update all the attributes (Heimdal does update Samba's pwdLastSet  
> attribute
> IIRC, maybe others) of any of the others (let alone all). I was  
> hoping to
> improve this on the OpenLDAP side (since it has the most comprehensive
> password policy support), but haven't had enough time to spend on it.
> Progress on the Kerberos end to standardise LDAP attributes for
> Kerberos-related information would improve matters ...

Is there a easy way to feed back to password updates though the openldap
and that way make kadmin/kpasswdd use that service instead of doing it
own ldap updates ?

Love

Follow-Ups:
- Re: OpenLDAP Backend Guide?
  - From: Buchan Milne <bgmilne@mandriva.org>

Prev by Date: Re: [PATCH] Updated 'check account' API
Next by Date: Re: Initial version of PKCROSS implementation
Prev by thread: Re: [PATCH] Updated 'check account' API
Next by thread: Re: OpenLDAP Backend Guide?
Index(es):
- Date
- Thread