[HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch andmore (SoC)

Tue Aug 29 11:38:13 UTC 2006

On Fri, Aug 25, 2006 at 10:14:55AM +0400, Michael Bushkov wrote:
> Tom McLaughlin wrote:
> >Will it also be possible to build openldap in base with SASL support?
> >My understanding is Windows AD environments by default require all
> >connections to be authenticated via kerberos.  (It's also a requirement
> >for the samba+openldap+krb5 setup I'm doing for work. ;)  I saw a
> >comment about adding support for krb5_ccname in the config file.  That's
> >a very useful option in the PADL version so I'm guessing this was
> >written with supporting SASL in mind?  Thanks.
> >
> >tom
> 
> Hi,
> sasl in OpenLDAP (and in nss_ldap) is supported in the way similar to 
> Sendmail:
> CFLAGS+=        ${OPENLDAP_CFLAGS}
> LDFLAGS+=       ${OPENLDAP_LDFLAGS}
> LDADD+=         ${OPENLDAP_LDADD}
> 
> By defining,
> OPENLDAP_CFLAGS=-I/usr/local/include -DSASL
> OPENLDAP_LDFLAGS=-L/usr/local/lib
> OPENLDAP_LDADD=-lsasl
> you'll enable sasl support both for OpenLDAP and nss_ldap.

Perhaps the point is: "should FreeBSD be able to authenticate against a
Windows Active Directory LDAP server out-of-the-box?" I know at least one
environment which would be very keen on this. OTOH, that environment has
decided to go with Red Hat Enterprise Linux now anyway :-(

But if this worked out-of-the-box, with a nice HOWTO document which
explained step-by-step how to do it, that would be great.

Then we just need a second HOWTO document which showed how to replace your
Windows AD server with OpenLDAP running under FreeBSD :-)

It's perhaps worth pointing out that if you're building this from scratch,
and you care about security, then it's going to be complex whichever way you
go. If you're using LDAP over TLS then you need to build a certificate
authority (or buy certificates for your machines); if you're using LDAP with
GSSAPI then you need a Kerberos infrastructure.

Oh, one other piece of the pie which I don't think has been mentioned - what
about getting sshd to retrieve its authorized keys via LDAP? I seem to
remember seeing some patches to openssh floating around for this a while
ago, but don't know if they ever made it into the standard tree.

Regards,

Brian.