web2ldap for Samba4
Michael Ströder
michael at stroeder.com
Mon Jun 30 12:30:01 GMT 2008
Andrew Bartlett wrote:
> On Mon, 2008-06-30 at 13:37 +0200, Michael Ströder wrote:
>> http://www.web2ldap.de/web2ldapcnf_hosts.html#restricted_ldap_uri_list
>
> Good. Now make it the default :-)
In the configuration sample file of the source distribution it's set to
1. If absent the default is 0. The reason is that I did not want to make
it a mandantory parameter within the 0.16.x series for not breaking
existing 0.16.x installations. This will change in 0.17.x since 0.17.x
will require different config parameters and module dependencies.
>>>> I'd like to use SASL/GSSAPI with forwardable tickets (probably
>>>> self-implemented SPNEGO if possible). Unfortunately I have to stick what
>>>> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI
>>>> context and pass that to the OpenLDAP client libs during SASL bind.
>>> The usual way is to populate a CCACHE from the exported GSSAPI
>>> credentials, pointed at with an environment variable. This should work
>>> with OpenLDAP.
>> And does it work with forwardable tickets (without doing kinit within
>> the web gateway)? AFAIK this is how freeipa is doing it. But web2ldap
>> runs as a multi-threaded process so mucking with env vars is IMO not
>> really an option.
>
> That does make things more difficult.
Hmm, the reason for running multi-threaded is that LDAP connections are
kept persistent. For my understanding: The CCACHE could also only
contain a service ticket extracted from a SPNEGO HTTP header? If yes,
let me think about it...
> And my experience is that unless you get it packaged and submitted,
> nobody (comparativly) will ever use your software.
Well, my primary goal is not to rule the world. ;-)
Ciao, Michael.
More information about the samba-technical
mailing list