web2ldap for Samba4

Michael Ströder michael at stroeder.com
Mon Jun 30 12:30:01 GMT 2008

Andrew Bartlett wrote:
> On Mon, 2008-06-30 at 13:37 +0200, Michael Ströder wrote:
>> http://www.web2ldap.de/web2ldapcnf_hosts.html#restricted_ldap_uri_list
> Good.  Now make it the default :-)

In the configuration sample file of the source distribution it's set to 
1. If absent the default is 0. The reason is that I did not want to make 
it a mandantory parameter within the 0.16.x series for not breaking 
existing 0.16.x installations. This will change in 0.17.x since 0.17.x 
will require different config parameters and module dependencies.

>>>> I'd like to use SASL/GSSAPI with forwardable tickets (probably 
>>>> self-implemented SPNEGO if possible). Unfortunately I have to stick what 
>>>> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI 
>>>> context and pass that to the OpenLDAP client libs during SASL bind.
>>> The usual way is to populate a CCACHE from the exported GSSAPI
>>> credentials, pointed at with an environment variable.  This should work
>>> with OpenLDAP.
>> And does it work with forwardable tickets (without doing kinit within 
>> the web gateway)? AFAIK this is how freeipa is doing it. But web2ldap 
>> runs as a multi-threaded process so mucking with env vars is IMO not 
>> really an option.
> That does make things more difficult.

Hmm, the reason for running multi-threaded is that LDAP connections are 
kept persistent. For my understanding: The CCACHE could also only 
contain a service ticket extracted from a SPNEGO HTTP header? If yes, 
let me think about it...

> And my experience is that unless you get it packaged and submitted, 
> nobody (comparativly) will ever use your software.

Well, my primary goal is not to rule the world. ;-)

Ciao, Michael.

More information about the samba-technical mailing list