mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Misc notes
This commit is contained in:
parent
127c7a1381
commit
e91b0435e2
@ -1,10 +1,15 @@
|
||||
LDAP auxprop plugin for SASL-enabled servers.
|
||||
Copyright (C) 2002 by Howard Chu, hyc@symas.com
|
||||
Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
|
||||
|
||||
This software is an experimental proof-of-concept and is not intended for
|
||||
general use. It is licensed under the terms ofthe OpenLDAP license.
|
||||
This software is licensed under the terms of the OpenLDAP license.
|
||||
|
||||
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
|
||||
Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
|
||||
or newer. The version of ldapdb bundled with OpenLDAP 2.1.22 and older
|
||||
will work with all OpenLDAP releases 2.1.3 and up. The ldapdb in
|
||||
OpenLDAP 2.1.23 uses a different LDAP request and requires the server
|
||||
to be 2.1.23 or newer.
|
||||
|
||||
It can be compiled by copying into the Cyrus SASL source tree, in the
|
||||
plugins subdirectory. No configuration or build script is provided.
|
||||
|
||||
@ -12,21 +17,21 @@ To compile, type "make ldapdb.lo". To link, you'll have to copy the
|
||||
link rule for one of the other plugins. Below is a sample on my Linux
|
||||
system:
|
||||
|
||||
/bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
||||
/bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
||||
|
||||
Once installed, you need to add some config items to the SASL server's
|
||||
config file in /usr/lib/sasl2. For example:
|
||||
|
||||
ldapdb_uri: ldapi://
|
||||
ldapdb_uri: ldap://ldap.example.com
|
||||
ldapdb_id: root
|
||||
ldapdb_pw: secret
|
||||
ldapdb_mech: PLAIN
|
||||
ldapdb_mech: DIGEST-MD5
|
||||
|
||||
This config assumes an LDAP server on the same machine as the server
|
||||
that is using SASL. The LDAP server must be configured to map the SASL
|
||||
authcId "root" into a DN that has proxy authorization privileges to
|
||||
every account that is allowed to login to this server. (See the OpenLDAP
|
||||
Admin Guide for details.)
|
||||
Admin Guide section 10 for details.)
|
||||
|
||||
Unlike other LDAP-enabled plugins for other services that are common
|
||||
on the web, this plugin does not require you to configure DN search
|
||||
@ -35,7 +40,7 @@ mapping to be configured on the target slapd. This approach keeps the
|
||||
LDAP-specific configuration details in one place, the slapd.conf, and
|
||||
makes the configuration of remote services much simpler.
|
||||
|
||||
One additional keyword "ldapdb_rc" may be specified in the config file.
|
||||
An additional keyword "ldapdb_rc" may be specified in the config file.
|
||||
The filename specified here will be put into the server's LDAPRC
|
||||
environment variable, and libldap-specific config options may be set
|
||||
in that ldaprc file. The main purpose behind this option is to allow
|
||||
@ -43,11 +48,11 @@ a client TLS certificate to be configured, so that SASL/EXTERNAL may
|
||||
be used between the SASL server and the LDAP server. This is the most
|
||||
optimal way to use this plugin when the servers are on separate machines.
|
||||
|
||||
This plugin likely has very poor performance. You'll need something
|
||||
better for a real production environment. Please send feedback via the
|
||||
openldap-software mailing list for now.
|
||||
This plugin has been in use for over a year at many sites with good
|
||||
results. If you have questions or problems, please send feedback via
|
||||
the openldap-software mailing list.
|
||||
|
||||
-- Howard Chu, 2002-07-12
|
||||
-- Howard Chu
|
||||
|
||||
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
|
||||
This is fast and secure, and needs no username or password to be stored.
|
||||
@ -64,9 +69,9 @@ sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
|
||||
sasl-regexp uid=(.*),cn=external,cn=auth
|
||||
ldap:///dc=example,dc=com??sub?(uid=$1)
|
||||
|
||||
One more update: you can use the ldapdb_starttls keyword to use the
|
||||
StartTLS extended operation on an LDAP session. This item may be set
|
||||
to either "try" or "demand", e.g.:
|
||||
Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
|
||||
to use the StartTLS extended operation on an LDAP session. This item
|
||||
may be set to either "try" or "demand", e.g.:
|
||||
|
||||
ldapdb_uri: ldap://ldap.example.com
|
||||
ldapdb_starttls: try
|
||||
|
Loading…
Reference in New Issue
Block a user