mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Misc notes
This commit is contained in:
parent
127c7a1381
commit
e91b0435e2
@ -1,10 +1,15 @@
|
|||||||
LDAP auxprop plugin for SASL-enabled servers.
|
LDAP auxprop plugin for SASL-enabled servers.
|
||||||
Copyright (C) 2002 by Howard Chu, hyc@symas.com
|
Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
|
||||||
|
|
||||||
This software is an experimental proof-of-concept and is not intended for
|
This software is licensed under the terms of the OpenLDAP license.
|
||||||
general use. It is licensed under the terms ofthe OpenLDAP license.
|
|
||||||
|
|
||||||
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
|
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
|
||||||
|
Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
|
||||||
|
or newer. The version of ldapdb bundled with OpenLDAP 2.1.22 and older
|
||||||
|
will work with all OpenLDAP releases 2.1.3 and up. The ldapdb in
|
||||||
|
OpenLDAP 2.1.23 uses a different LDAP request and requires the server
|
||||||
|
to be 2.1.23 or newer.
|
||||||
|
|
||||||
It can be compiled by copying into the Cyrus SASL source tree, in the
|
It can be compiled by copying into the Cyrus SASL source tree, in the
|
||||||
plugins subdirectory. No configuration or build script is provided.
|
plugins subdirectory. No configuration or build script is provided.
|
||||||
|
|
||||||
@ -12,21 +17,21 @@ To compile, type "make ldapdb.lo". To link, you'll have to copy the
|
|||||||
link rule for one of the other plugins. Below is a sample on my Linux
|
link rule for one of the other plugins. Below is a sample on my Linux
|
||||||
system:
|
system:
|
||||||
|
|
||||||
/bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
/bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
||||||
|
|
||||||
Once installed, you need to add some config items to the SASL server's
|
Once installed, you need to add some config items to the SASL server's
|
||||||
config file in /usr/lib/sasl2. For example:
|
config file in /usr/lib/sasl2. For example:
|
||||||
|
|
||||||
ldapdb_uri: ldapi://
|
ldapdb_uri: ldap://ldap.example.com
|
||||||
ldapdb_id: root
|
ldapdb_id: root
|
||||||
ldapdb_pw: secret
|
ldapdb_pw: secret
|
||||||
ldapdb_mech: PLAIN
|
ldapdb_mech: DIGEST-MD5
|
||||||
|
|
||||||
This config assumes an LDAP server on the same machine as the server
|
This config assumes an LDAP server on the same machine as the server
|
||||||
that is using SASL. The LDAP server must be configured to map the SASL
|
that is using SASL. The LDAP server must be configured to map the SASL
|
||||||
authcId "root" into a DN that has proxy authorization privileges to
|
authcId "root" into a DN that has proxy authorization privileges to
|
||||||
every account that is allowed to login to this server. (See the OpenLDAP
|
every account that is allowed to login to this server. (See the OpenLDAP
|
||||||
Admin Guide for details.)
|
Admin Guide section 10 for details.)
|
||||||
|
|
||||||
Unlike other LDAP-enabled plugins for other services that are common
|
Unlike other LDAP-enabled plugins for other services that are common
|
||||||
on the web, this plugin does not require you to configure DN search
|
on the web, this plugin does not require you to configure DN search
|
||||||
@ -35,7 +40,7 @@ mapping to be configured on the target slapd. This approach keeps the
|
|||||||
LDAP-specific configuration details in one place, the slapd.conf, and
|
LDAP-specific configuration details in one place, the slapd.conf, and
|
||||||
makes the configuration of remote services much simpler.
|
makes the configuration of remote services much simpler.
|
||||||
|
|
||||||
One additional keyword "ldapdb_rc" may be specified in the config file.
|
An additional keyword "ldapdb_rc" may be specified in the config file.
|
||||||
The filename specified here will be put into the server's LDAPRC
|
The filename specified here will be put into the server's LDAPRC
|
||||||
environment variable, and libldap-specific config options may be set
|
environment variable, and libldap-specific config options may be set
|
||||||
in that ldaprc file. The main purpose behind this option is to allow
|
in that ldaprc file. The main purpose behind this option is to allow
|
||||||
@ -43,11 +48,11 @@ a client TLS certificate to be configured, so that SASL/EXTERNAL may
|
|||||||
be used between the SASL server and the LDAP server. This is the most
|
be used between the SASL server and the LDAP server. This is the most
|
||||||
optimal way to use this plugin when the servers are on separate machines.
|
optimal way to use this plugin when the servers are on separate machines.
|
||||||
|
|
||||||
This plugin likely has very poor performance. You'll need something
|
This plugin has been in use for over a year at many sites with good
|
||||||
better for a real production environment. Please send feedback via the
|
results. If you have questions or problems, please send feedback via
|
||||||
openldap-software mailing list for now.
|
the openldap-software mailing list.
|
||||||
|
|
||||||
-- Howard Chu, 2002-07-12
|
-- Howard Chu
|
||||||
|
|
||||||
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
|
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
|
||||||
This is fast and secure, and needs no username or password to be stored.
|
This is fast and secure, and needs no username or password to be stored.
|
||||||
@ -64,9 +69,9 @@ sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
|
|||||||
sasl-regexp uid=(.*),cn=external,cn=auth
|
sasl-regexp uid=(.*),cn=external,cn=auth
|
||||||
ldap:///dc=example,dc=com??sub?(uid=$1)
|
ldap:///dc=example,dc=com??sub?(uid=$1)
|
||||||
|
|
||||||
One more update: you can use the ldapdb_starttls keyword to use the
|
Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
|
||||||
StartTLS extended operation on an LDAP session. This item may be set
|
to use the StartTLS extended operation on an LDAP session. This item
|
||||||
to either "try" or "demand", e.g.:
|
may be set to either "try" or "demand", e.g.:
|
||||||
|
|
||||||
ldapdb_uri: ldap://ldap.example.com
|
ldapdb_uri: ldap://ldap.example.com
|
||||||
ldapdb_starttls: try
|
ldapdb_starttls: try
|
||||||
|
Loading…
Reference in New Issue
Block a user