[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Adding Schemas

What we really need to clearly point out somewhere
(in the home page, in red, blinking?) is that the
fact that SASL can store passwords in the database,
or use pam, via pam-ldap, to auth people against
an LDAP server, doesn't mean one needs to have the
whole loop set up.  This mech is the (evil) result
of so many layers, tools, stuff being all enabled
to talk to eachother bidirectionally.  It was done
to offer as much flexibility as possible to system
administrators and identity management designers,
but simple solutions, if possible, must be chosen

The possibility to store sasl creds in an LDAP
is for those that have a CREDENTIALS server that
is accessed solely by SASL, and other servers that
auth via SASL to implement centralized identity

If one has only one server and plans to store creds
in the server, most of the loop can be avoided.

I'm sure i forgot something, and more involved
IM designers can explain it better than me;
however, I think this is something that should
be clear from the beginning.


>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jason Gray
>> Sent: Wednesday, March 10, 2004 6:39 PM
>> To: Adam Williams; LDAP
>> Subject: RE: Adding Schemas
>> I did get the schemas to appear...now I'm faced with making
>> Postfix (which
>> is one server) authenticate against my LDAP server (on
>> another box).  I've
>> been able to configure the postfix main.cf file to bind to
>> the LDAP server
>> but I'm still getting authentication errors:
>> pam_ldap: error trying to bind as user
>> "uid=jgray,cn=Users,ou=People,sambaDomainName=BARDELCA,dc=bard
>> el,dc=ca"
>> (Invalid credentials)
>> I'm somewhat confused at to whether or not I need to be
>> running cyrus and
>> sasl on the LDAP server for authentication since the mail server was
>> originally setup to use them.  I've read the LDAP_README in
>> the Postfix
>> readme docs and there's nothing there that I haven't done yet.
>> The user jgray does exist in the LDAP and has a password etc.
>>  I guess I
>> can't tell if the issue is with LDAP, Postfix, SASL or Cyrus or a
>> combination.  Any thoughts?
> You really need to think more clearly about what you're trying to
> accomplish. Maybe sketching it out on paper will help you. What you've
> described so far sounds like:
>  postfix -> LDAP -> SASL -> PAM -> pam_ldap -> LDAP
> This is unnecessarily convoluted, and all the steps into and out of
> PAM/LDAP are ridiculous. Figure out what you really want to do first,
> find the configuration that takes the most direct path to get there,
> then test it step by step.
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support

Pierangelo Masarati