A general purpose LDAP solution?

Christopher Sean Hilton chris at vindaloo.com
Tue Mar 25 10:03:03 PDT 2008

On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote:

> I asked this on freebsd-net@ but got no replies. So now I ask the same
> question here.
>> Hi list!
>> I have speculated a lot about implementation of (Open)LDAP on my
>> sever. By I haven't yet found the right (and logical) way to do it.
>> I'm running FreeBSD 7.0-Release with some different server  
>> applications
>> - Samba PDC
>> - Virtual mail server (Postfix, MySQL, Courier-IMAP)
>> - VPN (currently with mpd4)
>> - Apache-2.2.8 web server (with PHP and MySQL)
>> I would like to implement LDAP for:
>> - authentication of UNIX/login users
>> - authentication of Samba users
>> - authentication/authorization of virtual mail users
>> For the first part, I got useful information from a previsous thread
>> (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html 
>> )
>> and for the second part, i guess there is sufficient howtos to make  
>> it
>> work.

Tim Judd's advice is good for a start. I'm currently using ldap for  
authentication of:

      Jabber (directly)
      WebDAV (through Apache2's mod_auth_ldap)
      inbound email (imap/pop)
      outbound email (smtp+auth)

As a general rule the experience has been very positive. The biggest  
issues that I've run into are maintenance of the underlying ldap  
database which involves keeping tiny ldif files scattered around.  
Certainly the biggest hassle is in doing ldapadd and ldapmodify from  
the command line with all the torturous options that you have to  
provide (BindDn, BindPassword, TargetDN).

Nonetheless it's been a generally positive experience. In looking at  
your list of applications it seems that most of them will support ldap  
authentication directly. Mpd4 doesn't but it does support Radius so it  
looks like you'll have to build radius to authenticate against LDAP  
and then have mpd4 authenticate against radius. SMTP is similar. It  
doesn't support authentication via LDAP directly. It uses SASL which  
can also authenticate against LDAP.

>> My biggest question right now is if is possible to combine all three
>> things in one data structure. And which in which order I should make
>> the different implimentions.
>> Excuse my total lack of understanding, but is it possible to have a
>> structure with a superior unit such as OU=<some organization> which
>> could contain several virtual domains and the actual doamin for my
>> PDC?

The answer to this question would be a set of non-conflicting ldap  
schemas to support the functions that you need. If your needs are  
simple authentication the schemas that ship with openldap will provide  
fruit. If you want to make ldap your database for delivering mail to  
virtual users there are a few path's out there. Courier had/has a  
schema for supporting virtual users that could be banged into shape  
but if I recall correctly it's support for keeping virtual domain  
information in ldap is lacking. Phamm, /usr/ports/net/phamm completely  
supports virtual domains and virtual users including delegation of  
user management. E.g. the user hostmaster at example.com can reset  
passwords for <user>@example.com. Phamm also has a neat web interface  
for administration. However, when I was setting it up I found it more  
overly complex for my needs. Like using a Formula 1 car for a grocery  
run. However I think that it even works with the Samba schema so it  
may be exactly what you want.

>> --
>> Jon Theil Nielsen
> Oh, i forgot one more thing: I would also like to be able to
> authenticate VPN users the same way.

mpd4 + radius + ldap should get you where you want to be.

-- Chris

More information about the freebsd-questions mailing list