Re: LDAP support in NetBSD -- my test results

["matthew sporleder" <msporleder%gmail.com@localhost>]

On Wed, Jun 11, 2008 at 10:44 PM, Sarton O'Brien 
<bsd-xen%roguewrt.org@localhost> wrote:
> On Thu, 12 Jun 2008 11:57:20 am matthew sporleder wrote:
>> On 6/11/08, Quentin Garnier <cube%cubidou.net@localhost> wrote:
>> > On Wed, Jun 11, 2008 at 03:27:45PM -0400, matthew sporleder wrote:
>> >  > I have done some testing of newly ldap-enabled NetBSD components and
>> >  > found them to work pretty well.
>> >  >
>> >  > My environment was netbsd-current i386 hitting osx running a
>> >  > hand-compiled openldap 2.4.
>> >  >
>> >  > A brief summary:
>> >  > ldap* tools (ldapmodify -- ldapadd and friends are just modules of
>> >  > modify) work perfectly with ldap and ldaps configured with
>> >  > /etc/openldap/ldap.conf and ~/.ldaprc
>> >  >
>> >  > postfix works with ldap and ldaps.  (I only tested that aliases were
>> >  > queried)  This is is configured in main.cf and external cf files.
>> >  >
>> >  > amd only seems to support ldap (no ldaps).
>> >
>> >
>> > Do you know if any of those can be configured to use the global
>> >  ldap.conf settings?
>> >
>>
>> I don't know.  But I'll give my opinion anyway:
>> Even the openldap libraries require some "user-only settings" which
>> have to be set in ~/.ldaprc and can't be read from ldap.conf, so you
>> would still end up with two config spots (most stuff in ldap.conf, the
>> rest in ~postfix/.ldaprc, ~root/.ldaprc, etc).  However, I agree that
>> it would be nice to have a set of defaults that the various apps
>> respected- server and protocol at least.
>
> That's my experience aswell. Courier attempts to consolidate this with
> authlib, which is definitely handy for any authlib capable software but only
> when the authentication specifics are the same and only for authentication
> and maildir location.
>
> Postfix allows the server and base to be specified in the conf for the
> specific query ie:
>
> server_host = spike
> search_base = dc=internal
> query_filter = (|(mail=%s)(maildrop=%s))
> result_attribute = maildrop
>
> Which I think is great as it allows you to keep the query and and connection
> together and easily facilitates queries to multiple servers ... which can be
> based on other factors such as which domain is is being queried at the time.
>
>> >  When I first used dovecot in an LDAP environment, I patched it so it
>> >  could handle a ldaps server or a "use the library's default" setting
>> >  (I think that part of the patch has been lost in a later version of
>> >  dovecot, unfortunately).
>> >
>> >  My experience is that the admin is much happier when there is only one
>> >  place to configure the ldap server settings.
>> >
>> >  Also, what kind of tls configuration were you using?
>> >
>>
>> I was using self-signed certs that I generated with openssl.  I was
>> connecting on ldaps (port 636, not starttls/-Z port 389).
>
> I had planned on using ssl but had also planned on upgrading to my domus
> amd64. Do you know what the specific problem was?
>


I didn't have any problems with ssl except amd not supporting it.  I
didn't test (although I'm sure it would work) starttls over port 389
(where unencrypted traffic usually lives).