Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: LDAP support in NetBSD -- my test results



On Thu, 12 Jun 2008 11:57:20 am matthew sporleder wrote:
> On 6/11/08, Quentin Garnier <cube%cubidou.net@localhost> wrote:
> > On Wed, Jun 11, 2008 at 03:27:45PM -0400, matthew sporleder wrote:
> >  > I have done some testing of newly ldap-enabled NetBSD components and
> >  > found them to work pretty well.
> >  >
> >  > My environment was netbsd-current i386 hitting osx running a
> >  > hand-compiled openldap 2.4.
> >  >
> >  > A brief summary:
> >  > ldap* tools (ldapmodify -- ldapadd and friends are just modules of
> >  > modify) work perfectly with ldap and ldaps configured with
> >  > /etc/openldap/ldap.conf and ~/.ldaprc
> >  >
> >  > postfix works with ldap and ldaps.  (I only tested that aliases were
> >  > queried)  This is is configured in main.cf and external cf files.
> >  >
> >  > amd only seems to support ldap (no ldaps).
> >
> >
> > Do you know if any of those can be configured to use the global
> >  ldap.conf settings?
> >
> 
> I don't know.  But I'll give my opinion anyway:
> Even the openldap libraries require some "user-only settings" which
> have to be set in ~/.ldaprc and can't be read from ldap.conf, so you
> would still end up with two config spots (most stuff in ldap.conf, the
> rest in ~postfix/.ldaprc, ~root/.ldaprc, etc).  However, I agree that
> it would be nice to have a set of defaults that the various apps
> respected- server and protocol at least.

That's my experience aswell. Courier attempts to consolidate this with 
authlib, which is definitely handy for any authlib capable software but only 
when the authentication specifics are the same and only for authentication 
and maildir location.

Postfix allows the server and base to be specified in the conf for the 
specific query ie:

server_host = spike
search_base = dc=internal
query_filter = (|(mail=%s)(maildrop=%s))
result_attribute = maildrop

Which I think is great as it allows you to keep the query and and connection 
together and easily facilitates queries to multiple servers ... which can be 
based on other factors such as which domain is is being queried at the time.

> >  When I first used dovecot in an LDAP environment, I patched it so it
> >  could handle a ldaps server or a "use the library's default" setting
> >  (I think that part of the patch has been lost in a later version of
> >  dovecot, unfortunately).
> >
> >  My experience is that the admin is much happier when there is only one
> >  place to configure the ldap server settings.
> >
> >  Also, what kind of tls configuration were you using?
> >
> 
> I was using self-signed certs that I generated with openssl.  I was
> connecting on ldaps (port 636, not starttls/-Z port 389).

I had planned on using ssl but had also planned on upgrading to my domus 
amd64. Do you know what the specific problem was?

Sarton


Home | Main Index | Thread Index | Old Index