[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Adding Schemas

To: <openldap-software@OpenLDAP.org>
Subject: RE: Adding Schemas
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 11 Mar 2004 11:06:37 +0100 (CET)
Importance: Normal
In-reply-to: <01b101c40747$bf2ee310$8601a8c0@CELLO>
References: <EOEGJHCHMMNKEKPBEOMPIEDFHHAA.jgray@bardelanimation.com> <01b101c40747$bf2ee310$8601a8c0@CELLO>

What we really need to clearly point out somewhere
(in the home page, in red, blinking?) is that the
fact that SASL can store passwords in the database,
or use pam, via pam-ldap, to auth people against
an LDAP server, doesn't mean one needs to have the
whole loop set up.  This mech is the (evil) result
of so many layers, tools, stuff being all enabled
to talk to eachother bidirectionally.  It was done
to offer as much flexibility as possible to system
administrators and identity management designers,
but simple solutions, if possible, must be chosen
first.

The possibility to store sasl creds in an LDAP
is for those that have a CREDENTIALS server that
is accessed solely by SASL, and other servers that
auth via SASL to implement centralized identity
management.

If one has only one server and plans to store creds
in the server, most of the loop can be avoided.

I'm sure i forgot something, and more involved
IM designers can explain it better than me;
however, I think this is something that should
be clear from the beginning.

p.


>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jason Gray
>> Sent: Wednesday, March 10, 2004 6:39 PM
>> To: Adam Williams; LDAP
>> Subject: RE: Adding Schemas
>>
>>
>> I did get the schemas to appear...now I'm faced with making
>> Postfix (which
>> is one server) authenticate against my LDAP server (on
>> another box).  I've
>> been able to configure the postfix main.cf file to bind to
>> the LDAP server
>> but I'm still getting authentication errors:
>>
>> pam_ldap: error trying to bind as user
>> "uid=jgray,cn=Users,ou=People,sambaDomainName=BARDELCA,dc=bard
>> el,dc=ca"
>> (Invalid credentials)
>>
>> I'm somewhat confused at to whether or not I need to be
>> running cyrus and
>> sasl on the LDAP server for authentication since the mail server was
>> originally setup to use them.  I've read the LDAP_README in
>> the Postfix
>> readme docs and there's nothing there that I haven't done yet.
>>
>> The user jgray does exist in the LDAP and has a password etc.
>>  I guess I
>> can't tell if the issue is with LDAP, Postfix, SASL or Cyrus or a
>> combination.  Any thoughts?
>
> You really need to think more clearly about what you're trying to
> accomplish. Maybe sketching it out on paper will help you. What you've
> described so far sounds like:
>
>  postfix -> LDAP -> SASL -> PAM -> pam_ldap -> LDAP
>
> This is unnecessarily convoluted, and all the steps into and out of
> PAM/LDAP are ridiculous. Figure out what you really want to do first,
> find the configuration that takes the most direct path to get there,
> then test it step by step.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- RE: Adding Schemas
  - From: "Jason Gray" <jgray@bardelanimation.com>

References:
- RE: Adding Schemas
  - From: "Jason Gray" <jgray@bardelanimation.com>
- RE: Adding Schemas
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Antwort: Simple binds authenticating against Kerberos [Virus checked]
Next by Date: Re: value of naming attribute not present in entry
Index(es):
- Chronological
- Thread