[Kroupware] More than one Kolab server

Dieter Kluenter dieter at dkluenter.de
Tue May 20 14:57:02 CEST 2003 

Hi,

"konold at erfrakon.de" <konold at erfrakon.de> writes:

> On Tue, 20 May 2003, Dieter Kluenter wrote:
>
> Hi Dieter,
>
>> Database replication is done by slurpd but to have it work properly
>> you have to recompile openldap and at least add the flag
>> --enable-rewrite to configure, and I recommend bdb backend instead of
>> ldbm.
>
> Please explain why you prefer bdb to ldbm.

There ar several reasons:
1. the ability of transaction control
2. the ability of database recovery after a system crash
3. the ability to set checkpoints
4. enhanced database configuration outside of slapd.conf

the pros and cons of ldbm vs. bdb have been extensively discussed on
the openldap-software mailinglist.
 
> In general I am willing to add features to the kolab LDAP so that it is
> usabel as a single sign on solution.

OK, here are my proposals:

1. enable sasl support in openldap in order to do a strong bind
2. enabe kerberos v5 in cyrus-sasl in order to make use of GSSAPI
   and EXTERNAL mechanisms
3. enable meta and monitor backend in openldap. 
4. adding heimdal kerberos to kolab (even w2k clients support krb5)

Meta Backend is a proxy for one or more directory servers, even from
several vendors.
Monitor Backend shows statistical information and can be used to add
debugging options and attributes during runtime.

Just to show you, how a GSSAPI supported Single Sign-On could operate
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
dieter at marin:~> ldapwhoami
SASL/GSSAPI authentication started
SASL username: dieter at AVCI.DE
SASL SSF: 56
SASL installing layers
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

the same with a X.509 certificate

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
dieter at marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

As you can see, there is no userid nore a password required to
authenticate against the directory server, but still it is a secure
and private data transmission.

-Dieter
 
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter at schevolution.com
http://www.schevolution.com/tour

More information about the Kroupware mailing list