On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote:

I asked this on freebsd-net@ but got no replies. So now I ask the same
question here.
Hi list!

I have speculated a lot about implementation of (Open)LDAP on my
sever. By I haven't yet found the right (and logical) way to do it.
I'm running FreeBSD 7.0-Release with some different server applications
- Samba PDC
- Virtual mail server (Postfix, MySQL, Courier-IMAP)
- VPN (currently with mpd4)
- Apache-2.2.8 web server (with PHP and MySQL)
I would like to implement LDAP for:
- authentication of UNIX/login users
- authentication of Samba users
- authentication/authorization of virtual mail users
For the first part, I got useful information from a previsous thread
(http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it

Tim Judd's advice is good for a start. I'm currently using ldap for authentication of:

     Jabber (directly)
     WebDAV (through Apache2's mod_auth_ldap)
     inbound email (imap/pop)
     outbound email (smtp+auth)

As a general rule the experience has been very positive. The biggest issues that I've run into are maintenance of the underlying ldap database which involves keeping tiny ldif files scattered around. Certainly the biggest hassle is in doing ldapadd and ldapmodify from the command line with all the torturous options that you have to provide (BindDn, BindPassword, TargetDN).

Nonetheless it's been a generally positive experience. In looking at your list of applications it seems that most of them will support ldap authentication directly. Mpd4 doesn't but it does support Radius so it looks like you'll have to build radius to authenticate against LDAP and then have mpd4 authenticate against radius. SMTP is similar. It doesn't support authentication via LDAP directly. It uses SASL which can also authenticate against LDAP.

My biggest question right now is if is possible to combine all three
things in one data structure. And which in which order I should make
the different implimentions.
Excuse my total lack of understanding, but is it possible to have a
structure with a superior unit such as OU=<some organization> which
could contain several virtual domains and the actual doamin for my

The answer to this question would be a set of non-conflicting ldap schemas to support the functions that you need. If your needs are simple authentication the schemas that ship with openldap will provide fruit. If you want to make ldap your database for delivering mail to virtual users there are a few path's out there. Courier had/has a schema for supporting virtual users that could be banged into shape but if I recall correctly it's support for keeping virtual domain information in ldap is lacking. Phamm, /usr/ports/net/phamm completely supports virtual domains and virtual users including delegation of user management. E.g. the user [EMAIL PROTECTED] can reset passwords for <user>@example.com. Phamm also has a neat web interface for administration. However, when I was setting it up I found it more overly complex for my needs. Like using a Formula 1 car for a grocery run. However I think that it even works with the Samba schema so it may be exactly what you want.

Jon Theil Nielsen

Oh, i forgot one more thing: I would also like to be able to
authenticate VPN users the same way.

mpd4 + radius + ldap should get you where you want to be.

-- Chris

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to