A general purpose LDAP solution?
Christopher Sean Hilton
chris at vindaloo.com
Tue Mar 25 10:03:03 PDT 2008
On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote:
> I asked this on freebsd-net@ but got no replies. So now I ask the same
> question here.
>> Hi list!
>> I have speculated a lot about implementation of (Open)LDAP on my
>> sever. By I haven't yet found the right (and logical) way to do it.
>> I'm running FreeBSD 7.0-Release with some different server
>> - Samba PDC
>> - Virtual mail server (Postfix, MySQL, Courier-IMAP)
>> - VPN (currently with mpd4)
>> - Apache-2.2.8 web server (with PHP and MySQL)
>> I would like to implement LDAP for:
>> - authentication of UNIX/login users
>> - authentication of Samba users
>> - authentication/authorization of virtual mail users
>> For the first part, I got useful information from a previsous thread
>> and for the second part, i guess there is sufficient howtos to make
Tim Judd's advice is good for a start. I'm currently using ldap for
WebDAV (through Apache2's mod_auth_ldap)
inbound email (imap/pop)
outbound email (smtp+auth)
As a general rule the experience has been very positive. The biggest
issues that I've run into are maintenance of the underlying ldap
database which involves keeping tiny ldif files scattered around.
Certainly the biggest hassle is in doing ldapadd and ldapmodify from
the command line with all the torturous options that you have to
provide (BindDn, BindPassword, TargetDN).
Nonetheless it's been a generally positive experience. In looking at
your list of applications it seems that most of them will support ldap
authentication directly. Mpd4 doesn't but it does support Radius so it
looks like you'll have to build radius to authenticate against LDAP
and then have mpd4 authenticate against radius. SMTP is similar. It
doesn't support authentication via LDAP directly. It uses SASL which
can also authenticate against LDAP.
>> My biggest question right now is if is possible to combine all three
>> things in one data structure. And which in which order I should make
>> the different implimentions.
>> Excuse my total lack of understanding, but is it possible to have a
>> structure with a superior unit such as OU=<some organization> which
>> could contain several virtual domains and the actual doamin for my
The answer to this question would be a set of non-conflicting ldap
schemas to support the functions that you need. If your needs are
simple authentication the schemas that ship with openldap will provide
fruit. If you want to make ldap your database for delivering mail to
virtual users there are a few path's out there. Courier had/has a
schema for supporting virtual users that could be banged into shape
but if I recall correctly it's support for keeping virtual domain
information in ldap is lacking. Phamm, /usr/ports/net/phamm completely
supports virtual domains and virtual users including delegation of
user management. E.g. the user hostmaster at example.com can reset
passwords for <user>@example.com. Phamm also has a neat web interface
for administration. However, when I was setting it up I found it more
overly complex for my needs. Like using a Formula 1 car for a grocery
run. However I think that it even works with the Samba schema so it
may be exactly what you want.
>> Jon Theil Nielsen
> Oh, i forgot one more thing: I would also like to be able to
> authenticate VPN users the same way.
mpd4 + radius + ldap should get you where you want to be.
More information about the freebsd-questions