Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 49751 Details for
Bug 79864
compile the ldapdb auxprop plugin from openldap contrib if ldap is in USE
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
README.ldap goes into ${FILESDIR}
README.ldapdb (text/plain), 4.02 KB, created by
paul
on 2005-01-28 09:27:17 UTC
(
hide
)
Description:
README.ldap goes into ${FILESDIR}
Filename:
MIME Type:
Creator:
paul
Created:
2005-01-28 09:27:17 UTC
Size:
4.02 KB
patch
obsolete
>LDAP auxprop plugin for SASL-enabled servers. >Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com > >This software is licensed under the terms of the OpenLDAP license. > >The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3. >Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15 >or newer. You need at least Cyrus SASL 2.1.16 to use the auxprop-store >functionality. > >The version of ldapdb bundled with OpenLDAP 2.1.22 and older will work >with all OpenLDAP releases 2.1.3 and up. The ldapdb in OpenLDAP 2.1.23 >uses a different LDAP request and requires the server to be 2.1.23 or newer. > >It can be compiled by copying into the Cyrus SASL source tree, in the >plugins subdirectory. No configuration or build script is provided. > >To compile, type "make ldapdb.lo". To link, you'll have to copy the >link rule for one of the other plugins. Below is a sample on my Linux >system: > > /bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto > >Once installed, you need to add some config items to the SASL server's >config file in /usr/lib/sasl2. For example: > >ldapdb_uri: ldap://ldap.example.com >ldapdb_id: root >ldapdb_pw: secret >ldapdb_mech: DIGEST-MD5 > >This config assumes an LDAP server on the same machine as the server >that is using SASL. The LDAP server must be configured to map the SASL >authcId "root" into a DN that has proxy authorization privileges to >every account that is allowed to login to this server. (See the OpenLDAP >Admin Guide section 10 for details.) > >Unlike other LDAP-enabled plugins for other services that are common >on the web, this plugin does not require you to configure DN search >patterns to map usernames to LDAP DNs. This plugin requires SASL name >mapping to be configured on the target slapd. This approach keeps the >LDAP-specific configuration details in one place, the slapd.conf, and >makes the configuration of remote services much simpler. > >An additional keyword "ldapdb_rc" may be specified in the config file. >The filename specified here will be put into the server's LDAPRC >environment variable, and libldap-specific config options may be set >in that ldaprc file. The main purpose behind this option is to allow >a client TLS certificate to be configured, so that SASL/EXTERNAL may >be used between the SASL server and the LDAP server. This is the most >optimal way to use this plugin when the servers are on separate machines. > >Note: this plugin is not for use with slapd itself. When OpenLDAP is >built with SASL support, slapd uses its own internal auxprop module. >By default, without configuring anything else, slapd will fail to load >the ldapdb module when it's present. This is as it should be. If you >don't like the "auxpropfunc: error -7" message that is sent to syslog >by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with: > > auxprop_plugin: slapd > >which will force the SASL library to ignore all other auxprop modules. > >This plugin has been in use for over a year at many sites with good >results. If you have questions or problems, please send feedback via >the openldap-software mailing list. > > -- Howard Chu > >Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://. >This is fast and secure, and needs no username or password to be stored. >The SASL config file is just > >ldapdb_uri: ldapi:// >ldapdb_mech: EXTERNAL > >The slapd.conf will need to map these usernames to LDAP DNs: > >sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth > ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2)) > >sasl-regexp uid=(.*),cn=external,cn=auth > ldap:///dc=example,dc=com??sub?(uid=$1) > >Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword >to use the StartTLS extended operation on an LDAP session. This item >may be set to either "try" or "demand", e.g.: > >ldapdb_uri: ldap://ldap.example.com >ldapdb_starttls: try > >When set to "try" any failure in StartTLS is ignored. When set to "demand" >then any failure aborts the connection.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=49751">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 79864
:
49750
| 49751 |
49752
|
49753
