On Fri, Aug 25, 2006 at 10:14:55AM +0400, Michael Bushkov wrote: > Tom McLaughlin wrote: > >Will it also be possible to build openldap in base with SASL support? > >My understanding is Windows AD environments by default require all > >connections to be authenticated via kerberos. (It's also a requirement > >for the samba+openldap+krb5 setup I'm doing for work. ;) I saw a > >comment about adding support for krb5_ccname in the config file. That's > >a very useful option in the PADL version so I'm guessing this was > >written with supporting SASL in mind? Thanks. > > > >tom > > Hi, > sasl in OpenLDAP (and in nss_ldap) is supported in the way similar to > Sendmail: > CFLAGS+= ${OPENLDAP_CFLAGS} > LDFLAGS+= ${OPENLDAP_LDFLAGS} > LDADD+= ${OPENLDAP_LDADD} > > By defining, > OPENLDAP_CFLAGS=-I/usr/local/include -DSASL > OPENLDAP_LDFLAGS=-L/usr/local/lib > OPENLDAP_LDADD=-lsasl > you'll enable sasl support both for OpenLDAP and nss_ldap. Perhaps the point is: "should FreeBSD be able to authenticate against a Windows Active Directory LDAP server out-of-the-box?" I know at least one environment which would be very keen on this. OTOH, that environment has decided to go with Red Hat Enterprise Linux now anyway :-( But if this worked out-of-the-box, with a nice HOWTO document which explained step-by-step how to do it, that would be great. Then we just need a second HOWTO document which showed how to replace your Windows AD server with OpenLDAP running under FreeBSD :-) It's perhaps worth pointing out that if you're building this from scratch, and you care about security, then it's going to be complex whichever way you go. If you're using LDAP over TLS then you need to build a certificate authority (or buy certificates for your machines); if you're using LDAP with GSSAPI then you need a Kerberos infrastructure. Oh, one other piece of the pie which I don't think has been mentioned - what about getting sshd to retrieve its authorized keys via LDAP? I seem to remember seeing some patches to openssh floating around for this a while ago, but don't know if they ever made it into the standard tree. Regards, Brian.Received on Tue Aug 29 2006 - 09:38:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC