OpenLDAP authentication

Konrad Heuer kheuer2 at gwdg.de
Mon May 12 23:54:40 PDT 2003 

On 12 May 2003, Guy Van Sanden wrote:

> I'm thinking of switching my NIS based network to OpenLDAP.
>
> My server is FreeBSD 5, it servers NIS, NFS home directories, mail, etc.
> The clients are running Mandrake Linux 9.0 and 9.1, using MD5 passwords.
>
> I want to migrate the NIS maps to OpenLDAP (running on my FreeBSD
> server), and have everything else authenticate against it.
>
> In a second phase, I would like to migrate the authentication to a
> Kerberos 5 realm, with OpenLDAP.
> I have no idea yet how to get this working, and if it causes problems
> with the NFS server-clients.
>
> Any hints/tips or pointers to intersting documentation are very welcome.

I'm working on OpenLDAP based authentication to replace NIS together with
a colleague of mine. We don't use any NIS maps beside passwd.byname,
passwd.byuid, group.byname and group.bygid, so we migrate only this
information to OpenLDAP.

The OpenLDAP server is running on FreeBSD 4.8-R; clients able to use the
server for complete logins so far are (in our environment) running MacOS X
Jaguar or SuSE Linux 8.1.

Authentication alone has been successful on a FreeBSD 4.8 box, but NSS
support is (as well known) missing here.

Our server only supports SSL connections on port 636 to make sure that no
clear text password transmission happens.

Our experiences are:

There are a sufficient number of more or less useful howto's you can
"google" for, but still some pitfalls:

* You seem to need an official SSL server certificate, otherwise Mac OS X
  and SuSE Linux clients won't trust the server.
* I gave up connecting a Debian Linux system to the server because the
  precompiled Debian LDAP packages don't seem to support SSL encryption.
  I had no luck to compile the stuff by myself on the Debian box,
  but this may be my fault since my focus is on FreeBSD and not on Linux.
* SuSE Linux clients expect that anonymous binds to the OpenLDAP server
  are possible. Mac OS X and FreeBSD clients (concerning pure
  authentication) behave different, but SuSE Linux seems to ignore
  any entries in ldap.conf concerning client authentication. Thus, you
  have to grant anonymous access to those data on the LDAP server
  which are equivalent to the data in /etc/passwd; the encrypted
  password can (and should be, of course) be protected against
  anonymous access!

In the moment, we have no plans to use Kerberos.

These are my experiences so far; it would be nice to read about those of
others migrating to OpenLDAP ...

Best regards
Konrad

Konrad Heuer (kheuer2 at gwdg.de)  ____            ___  _______
GWDG                           / __/______ ___ / _ )/ __/ _ \
Am Fassberg                   / _// __/ -_) -_) _  |\ \/ // /
37077 Goettingen             /_/ /_/  \__/\__/____/___/____/
Germany

More information about the freebsd-questions mailing list