Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: LDAP support in NetBSD -- my test results
On Wed, Jun 11, 2008 at 10:44 PM, Sarton O'Brien
<bsd-xen%roguewrt.org@localhost> wrote:
> On Thu, 12 Jun 2008 11:57:20 am matthew sporleder wrote:
>> On 6/11/08, Quentin Garnier <cube%cubidou.net@localhost> wrote:
>> > On Wed, Jun 11, 2008 at 03:27:45PM -0400, matthew sporleder wrote:
>> > > I have done some testing of newly ldap-enabled NetBSD components and
>> > > found them to work pretty well.
>> > >
>> > > My environment was netbsd-current i386 hitting osx running a
>> > > hand-compiled openldap 2.4.
>> > >
>> > > A brief summary:
>> > > ldap* tools (ldapmodify -- ldapadd and friends are just modules of
>> > > modify) work perfectly with ldap and ldaps configured with
>> > > /etc/openldap/ldap.conf and ~/.ldaprc
>> > >
>> > > postfix works with ldap and ldaps. (I only tested that aliases were
>> > > queried) This is is configured in main.cf and external cf files.
>> > >
>> > > amd only seems to support ldap (no ldaps).
>> >
>> >
>> > Do you know if any of those can be configured to use the global
>> > ldap.conf settings?
>> >
>>
>> I don't know. But I'll give my opinion anyway:
>> Even the openldap libraries require some "user-only settings" which
>> have to be set in ~/.ldaprc and can't be read from ldap.conf, so you
>> would still end up with two config spots (most stuff in ldap.conf, the
>> rest in ~postfix/.ldaprc, ~root/.ldaprc, etc). However, I agree that
>> it would be nice to have a set of defaults that the various apps
>> respected- server and protocol at least.
>
> That's my experience aswell. Courier attempts to consolidate this with
> authlib, which is definitely handy for any authlib capable software but only
> when the authentication specifics are the same and only for authentication
> and maildir location.
>
> Postfix allows the server and base to be specified in the conf for the
> specific query ie:
>
> server_host = spike
> search_base = dc=internal
> query_filter = (|(mail=%s)(maildrop=%s))
> result_attribute = maildrop
>
> Which I think is great as it allows you to keep the query and and connection
> together and easily facilitates queries to multiple servers ... which can be
> based on other factors such as which domain is is being queried at the time.
>
>> > When I first used dovecot in an LDAP environment, I patched it so it
>> > could handle a ldaps server or a "use the library's default" setting
>> > (I think that part of the patch has been lost in a later version of
>> > dovecot, unfortunately).
>> >
>> > My experience is that the admin is much happier when there is only one
>> > place to configure the ldap server settings.
>> >
>> > Also, what kind of tls configuration were you using?
>> >
>>
>> I was using self-signed certs that I generated with openssl. I was
>> connecting on ldaps (port 636, not starttls/-Z port 389).
>
> I had planned on using ssl but had also planned on upgrading to my domus
> amd64. Do you know what the specific problem was?
>
I didn't have any problems with ssl except amd not supporting it. I
didn't test (although I'm sure it would work) starttls over port 389
(where unencrypted traffic usually lives).
Home |
Main Index |
Thread Index |
Old Index