From owner-freebsd-current@FreeBSD.ORG Tue Aug 29 11:38:13 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98F9C16A4DF for ; Tue, 29 Aug 2006 11:38:13 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EE8B43D55 for ; Tue, 29 Aug 2006 11:38:12 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 265C6247E5; Tue, 29 Aug 2006 07:38:34 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 6F6196C4C6; Tue, 29 Aug 2006 07:38:27 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GI1ut-0001VE-N9; Tue, 29 Aug 2006 12:38:03 +0100 Date: Tue, 29 Aug 2006 12:38:03 +0100 From: Brian Candler To: Michael Bushkov Message-ID: <20060829113803.GA5728@uk.tiscali.com> References: <44E9582C.2010400@rsu.ru> <44EAA213.6010507@delphij.net> <002901c6c5ba$628b67d0$9800a8c0@carrera> <86hd0423zk.fsf@xps.des.no> <44EB302A.7010106@rsu.ru> <20060823121157.yawh6f8e844w4osc@netchild.homeip.net> <86u043znbz.fsf@xps.des.no> <20060823144347.GB24652@lor.one-eyed-alien.net> <1156464193.1394.14.camel@localhost> <002001c6c80d$cedcba60$9800a8c0@carrera> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002001c6c80d$cedcba60$9800a8c0@carrera> User-Agent: Mutt/1.4.2.1i Cc: Dag-Erling Sm?rgrav , freebsd-current@freebsd.org, Alexander Leidinger , Tom McLaughlin , LI Xin Subject: Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch andmore (SoC) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 11:38:13 -0000 On Fri, Aug 25, 2006 at 10:14:55AM +0400, Michael Bushkov wrote: > Tom McLaughlin wrote: > >Will it also be possible to build openldap in base with SASL support? > >My understanding is Windows AD environments by default require all > >connections to be authenticated via kerberos. (It's also a requirement > >for the samba+openldap+krb5 setup I'm doing for work. ;) I saw a > >comment about adding support for krb5_ccname in the config file. That's > >a very useful option in the PADL version so I'm guessing this was > >written with supporting SASL in mind? Thanks. > > > >tom > > Hi, > sasl in OpenLDAP (and in nss_ldap) is supported in the way similar to > Sendmail: > CFLAGS+= ${OPENLDAP_CFLAGS} > LDFLAGS+= ${OPENLDAP_LDFLAGS} > LDADD+= ${OPENLDAP_LDADD} > > By defining, > OPENLDAP_CFLAGS=-I/usr/local/include -DSASL > OPENLDAP_LDFLAGS=-L/usr/local/lib > OPENLDAP_LDADD=-lsasl > you'll enable sasl support both for OpenLDAP and nss_ldap. Perhaps the point is: "should FreeBSD be able to authenticate against a Windows Active Directory LDAP server out-of-the-box?" I know at least one environment which would be very keen on this. OTOH, that environment has decided to go with Red Hat Enterprise Linux now anyway :-( But if this worked out-of-the-box, with a nice HOWTO document which explained step-by-step how to do it, that would be great. Then we just need a second HOWTO document which showed how to replace your Windows AD server with OpenLDAP running under FreeBSD :-) It's perhaps worth pointing out that if you're building this from scratch, and you care about security, then it's going to be complex whichever way you go. If you're using LDAP over TLS then you need to build a certificate authority (or buy certificates for your machines); if you're using LDAP with GSSAPI then you need a Kerberos infrastructure. Oh, one other piece of the pie which I don't think has been mentioned - what about getting sshd to retrieve its authorized keys via LDAP? I seem to remember seeing some patches to openssh floating around for this a while ago, but don't know if they ever made it into the standard tree. Regards, Brian.