Re: A general purpose LDAP solution?
On Sun, 23 Mar 2008 23:26:51 +0100 Jon Theil Nielsen [EMAIL PROTECTED] wrote: 2008/3/23, Jon Theil Nielsen [EMAIL PROTECTED]: Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the organization actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. For foo.bar and monkies.foo.bar, I would do it as below. And remember, PAM is your friend. And on a similar note, I am goat fragging surprised Postfix does not have a native PAM auth backend yet. ou=users,dc=foo,dc=bar ou=users,dc=monkies,dc=foo,bar In regards to VPN, you may wish to look into OpenVPN. It has a scriptable password checking mechanism. http://openvpn.net/index.php/documentation/howto.html#auth Enjoy playing with the nastiness that is Samba and LDAP. =^.^= On another note, I changed this from the net list to the questions list as I don't think this really falls under FreeBSD net related stuff. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
Patrick C wrote: Is there any support for built-in redundancy on the server level? I just need changes replicated, CARP can handle failover. with LDAP? Sure. In fact, there are two mechanisms available with OpenLDAP: replicated and 'syncrepl'. See http://www.openldap.org/doc/admin24/config.html#Replicated%20Directory%20Service Actually, that diagram is confusing: the basic replication uses a separate process 'slurpd' to manage updating the slave server, whereas synchronous replication just uses a connection from the slave slapd to the master. Synchrepl seems to me to be the way to go. In any case, the way the system works is this: one LDAP instance is the master and the only one to allow writes to itself. The other instances get a feed of all updates which allows them to maintain a duplicate of the database contents. You can issue writes to the slave LDAPs but they will be transformed into referrals to the master server -- ie. your client needs to be able to access the master if it needs to write to the database. ie. If all you ever want to do is *read* from LDAP during normal operation, then you can make a nice replicated resilient system. If you need to routinely *write* to the DB, then no, you need to have the master server available. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: A general purpose LDAP solution?
On Mon Mar 24, 2008 04:58PM, Tim Judd wrote: Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. -- Jon Theil Nielsen It's easy to find out if LDAP is a global solution for you. See if LDAP is an available option in each port's config. I just finished setting up a LDAP-based email system. Samba is capable, unix logins are capable. There's a good chance everything is. I liked the virtual part of everything, so I stopped after getting email working. I didn't want to open up my system to all sorts of unix/samba logins that might exploit or give me problems. The email system I documented isn't ready for publishing. I'm having some select friends review it and proofread it first. If there's any interest here, I will provide a 2nd publishing to the general public as a draft. Not to be used exclusively yet. Jon, you should be able to get most if not all of it working though. --Tim I would like to see the documentation as well. -- Cheers, Trey The universe is change; our life is what our thoughts make it. --Antoninus, Marcus Aurelius Linux valkyrie 2.6.22.17-0.1-bigsmp i686 GNU/Linux 9:10am up 11:11, 7 users, load average: 0.98, 0.98, 1.06 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
As would I also like to On Tue, Mar 25, 2008 at 8:11 PM, Trey Sizemore [EMAIL PROTECTED] wrote: On Mon Mar 24, 2008 04:58PM, Tim Judd wrote: Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread ( http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. -- Jon Theil Nielsen It's easy to find out if LDAP is a global solution for you. See if LDAP is an available option in each port's config. I just finished setting up a LDAP-based email system. Samba is capable, unix logins are capable. There's a good chance everything is. I liked the virtual part of everything, so I stopped after getting email working. I didn't want to open up my system to all sorts of unix/samba logins that might exploit or give me problems. The email system I documented isn't ready for publishing. I'm having some select friends review it and proofread it first. If there's any interest here, I will provide a 2nd publishing to the general public as a draft. Not to be used exclusively yet. Jon, you should be able to get most if not all of it working though. --Tim I would like to see the documentation as well. -- Cheers, Trey The universe is change; our life is what our thoughts make it. --Antoninus, Marcus Aurelius Linux valkyrie 2.6.22.17-0.1-bigsmp i686 GNU/Linux 9:10am up 11:11, 7 users, load average: 0.98, 0.98, 1.06 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it work. Tim Judd's advice is good for a start. I'm currently using ldap for authentication of: Jabber (directly) WebDAV (through Apache2's mod_auth_ldap) inbound email (imap/pop) outbound email (smtp+auth) As a general rule the experience has been very positive. The biggest issues that I've run into are maintenance of the underlying ldap database which involves keeping tiny ldif files scattered around. Certainly the biggest hassle is in doing ldapadd and ldapmodify from the command line with all the torturous options that you have to provide (BindDn, BindPassword, TargetDN). Nonetheless it's been a generally positive experience. In looking at your list of applications it seems that most of them will support ldap authentication directly. Mpd4 doesn't but it does support Radius so it looks like you'll have to build radius to authenticate against LDAP and then have mpd4 authenticate against radius. SMTP is similar. It doesn't support authentication via LDAP directly. It uses SASL which can also authenticate against LDAP. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? The answer to this question would be a set of non-conflicting ldap schemas to support the functions that you need. If your needs are simple authentication the schemas that ship with openldap will provide fruit. If you want to make ldap your database for delivering mail to virtual users there are a few path's out there. Courier had/has a schema for supporting virtual users that could be banged into shape but if I recall correctly it's support for keeping virtual domain information in ldap is lacking. Phamm, /usr/ports/net/phamm completely supports virtual domains and virtual users including delegation of user management. E.g. the user [EMAIL PROTECTED] can reset passwords for user@example.com. Phamm also has a neat web interface for administration. However, when I was setting it up I found it more overly complex for my needs. Like using a Formula 1 car for a grocery run. However I think that it even works with the Samba schema so it may be exactly what you want. -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. mpd4 + radius + ldap should get you where you want to be. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
You could follow one of the general purpose samba-ldap documentations out there, because AFAIK samba is the most influencing service to depend on ldap. I cannot recall what I used but you can have a look at: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Basic_Setup http://www.samba-ldap.de/samba-3-pdc-mit-ldap.html the first one covers gentoo, the latter is written in german... but you get the point. One suggestion from my side is to use a OU base instead of DC based if you are using multiple (internet-)domains. To specify who can use what service, you can use ldap query-filters (eg. for apache create a group webusers and so on) At tme moment I use openldap for web, mail (Postfix cyrus-imap), samba and a per user address-book. Kerberos (heimdal) and radius is also possible, but I do not use it at the moment. If you require it, I can provide you with more information or even relevant parts of the config-files. br, Robert Jesacher On 25/03/2008 14:38 Outback Dingo wrote: As would I also like to On Tue, Mar 25, 2008 at 8:11 PM, Trey Sizemore [EMAIL PROTECTED] wrote: On Mon Mar 24, 2008 04:58PM, Tim Judd wrote: Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread ( http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. -- Jon Theil Nielsen It's easy to find out if LDAP is a global solution for you. See if LDAP is an available option in each port's config. I just finished setting up a LDAP-based email system. Samba is capable, unix logins are capable. There's a good chance everything is. I liked the virtual part of everything, so I stopped after getting email working. I didn't want to open up my system to all sorts of unix/samba logins that might exploit or give me problems. The email system I documented isn't ready for publishing. I'm having some select friends review it and proofread it first. If there's any interest here, I will provide a 2nd publishing to the general public as a draft. Not to be used exclusively yet. Jon, you should be able to get most if not all of it working though. --Tim I would like to see the documentation as well. -- Cheers, Trey The universe is change; our life is what our thoughts make it. --Antoninus, Marcus Aurelius Linux valkyrie 2.6.22.17-0.1-bigsmp i686 GNU/Linux 9:10am up 11:11, 7 users, load average: 0.98, 0.98, 1.06 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
GOSA is another nice feature full LDAP manager in PHP, does samba, dns, mail, web, asterisk etc etc etc On Wed, Mar 26, 2008 at 12:02 AM, Christopher Sean Hilton [EMAIL PROTECTED] wrote: On Mar 24, 2008, at 6:40 PM, Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread ( http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it work. Tim Judd's advice is good for a start. I'm currently using ldap for authentication of: Jabber (directly) WebDAV (through Apache2's mod_auth_ldap) inbound email (imap/pop) outbound email (smtp+auth) As a general rule the experience has been very positive. The biggest issues that I've run into are maintenance of the underlying ldap database which involves keeping tiny ldif files scattered around. Certainly the biggest hassle is in doing ldapadd and ldapmodify from the command line with all the torturous options that you have to provide (BindDn, BindPassword, TargetDN). Nonetheless it's been a generally positive experience. In looking at your list of applications it seems that most of them will support ldap authentication directly. Mpd4 doesn't but it does support Radius so it looks like you'll have to build radius to authenticate against LDAP and then have mpd4 authenticate against radius. SMTP is similar. It doesn't support authentication via LDAP directly. It uses SASL which can also authenticate against LDAP. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? The answer to this question would be a set of non-conflicting ldap schemas to support the functions that you need. If your needs are simple authentication the schemas that ship with openldap will provide fruit. If you want to make ldap your database for delivering mail to virtual users there are a few path's out there. Courier had/has a schema for supporting virtual users that could be banged into shape but if I recall correctly it's support for keeping virtual domain information in ldap is lacking. Phamm, /usr/ports/net/phamm completely supports virtual domains and virtual users including delegation of user management. E.g. the user [EMAIL PROTECTED] can reset passwords for user@example.com. Phamm also has a neat web interface for administration. However, when I was setting it up I found it more overly complex for my needs. Like using a Formula 1 car for a grocery run. However I think that it even works with the Samba schema so it may be exactly what you want. -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. mpd4 + radius + ldap should get you where you want to be. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
On Mar 25, 2008, at 1:53 PM, Outback Dingo wrote: GOSA is another nice feature full LDAP manager in PHP, does samba, dns, mail, web, asterisk etc etc etc Is Gosa in the ports collection? -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
yes it is On Wed, Mar 26, 2008 at 1:35 AM, Christopher Sean Hilton [EMAIL PROTECTED] wrote: On Mar 25, 2008, at 1:53 PM, Outback Dingo wrote: GOSA is another nice feature full LDAP manager in PHP, does samba, dns, mail, web, asterisk etc etc etc Is Gosa in the ports collection? -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. -- Jon Theil Nielsen It's easy to find out if LDAP is a global solution for you. See if LDAP is an available option in each port's config. I just finished setting up a LDAP-based email system. Samba is capable, unix logins are capable. There's a good chance everything is. I liked the virtual part of everything, so I stopped after getting email working. I didn't want to open up my system to all sorts of unix/samba logins that might exploit or give me problems. The email system I documented isn't ready for publishing. I'm having some select friends review it and proofread it first. If there's any interest here, I will provide a 2nd publishing to the general public as a draft. Not to be used exclusively yet. Jon, you should be able to get most if not all of it working though. --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A general purpose LDAP solution?
I'd be interested in a read. I am currently using NIS/YP with FreeBSD servers and Linux clients... makes things very interesting. I've been meaning to exploit PAM for a more modern solution but it hasn't been a huge priority. Is there any support for built-in redundancy on the server level? I just need changes replicated, CARP can handle failover. -Patrick On 24/03/2008, Tim Judd [EMAIL PROTECTED] wrote: Jon Theil Nielsen wrote: I asked this on freebsd-net@ but got no replies. So now I ask the same question here. Hi list! I have speculated a lot about implementation of (Open)LDAP on my sever. By I haven't yet found the right (and logical) way to do it. I'm running FreeBSD 7.0-Release with some different server applications - Samba PDC - Virtual mail server (Postfix, MySQL, Courier-IMAP) - VPN (currently with mpd4) - Apache-2.2.8 web server (with PHP and MySQL) I would like to implement LDAP for: - authentication of UNIX/login users - authentication of Samba users - authentication/authorization of virtual mail users For the first part, I got useful information from a previsous thread ( http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-02/msg01047.html ) and for the second part, i guess there is sufficient howtos to make it work. My biggest question right now is if is possible to combine all three things in one data structure. And which in which order I should make the different implimentions. Excuse my total lack of understanding, but is it possible to have a structure with a superior unit such as OU=some organization which could contain several virtual domains and the actual doamin for my PDC? -- Jon Theil Nielsen Oh, i forgot one more thing: I would also like to be able to authenticate VPN users the same way. -- Jon Theil Nielsen It's easy to find out if LDAP is a global solution for you. See if LDAP is an available option in each port's config. I just finished setting up a LDAP-based email system. Samba is capable, unix logins are capable. There's a good chance everything is. I liked the virtual part of everything, so I stopped after getting email working. I didn't want to open up my system to all sorts of unix/samba logins that might exploit or give me problems. The email system I documented isn't ready for publishing. I'm having some select friends review it and proofread it first. If there's any interest here, I will provide a 2nd publishing to the general public as a draft. Not to be used exclusively yet. Jon, you should be able to get most if not all of it working though. --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]