Re: LDAP support in NetBSD -- my test results

["matthew sporleder" <msporleder%gmail.com@localhost>]

On 6/11/08, Quentin Garnier <cube%cubidou.net@localhost> wrote:
> On Wed, Jun 11, 2008 at 03:27:45PM -0400, matthew sporleder wrote:
>  > I have done some testing of newly ldap-enabled NetBSD components and
>  > found them to work pretty well.
>  >
>  > My environment was netbsd-current i386 hitting osx running a
>  > hand-compiled openldap 2.4.
>  >
>  > A brief summary:
>  > ldap* tools (ldapmodify -- ldapadd and friends are just modules of
>  > modify) work perfectly with ldap and ldaps configured with
>  > /etc/openldap/ldap.conf and ~/.ldaprc
>  >
>  > postfix works with ldap and ldaps.  (I only tested that aliases were
>  > queried)  This is is configured in main.cf and external cf files.
>  >
>  > amd only seems to support ldap (no ldaps).
>
>
> Do you know if any of those can be configured to use the global
>  ldap.conf settings?
>

I don't know.  But I'll give my opinion anyway:
Even the openldap libraries require some "user-only settings" which
have to be set in ~/.ldaprc and can't be read from ldap.conf, so you
would still end up with two config spots (most stuff in ldap.conf, the
rest in ~postfix/.ldaprc, ~root/.ldaprc, etc).  However, I agree that
it would be nice to have a set of defaults that the various apps
respected- server and protocol at least.

>  When I first used dovecot in an LDAP environment, I patched it so it
>  could handle a ldaps server or a "use the library's default" setting
>  (I think that part of the patch has been lost in a later version of
>  dovecot, unfortunately).
>
>  My experience is that the admin is much happier when there is only one
>  place to configure the ldap server settings.
>
>  Also, what kind of tls configuration were you using?
>

I was using self-signed certs that I generated with openssl.  I was
connecting on ldaps (port 636, not starttls/-Z port 389).