Menu
▾
▴
[Opensync-commits] r5322 - plugins/ldap-sync
|
From: <svn...@op...> - 2009-03-26 00:09:57
|
Author: scriptor Date: Thu Mar 26 01:09:41 2009 New Revision: 5322 URL: http://www.opensync.org/changeset/5322 Log: Initial version of the LDAP plugin having been ported to libopensync-0.3x. Added: plugins/ldap-sync/ChangeLog (contents, props changed) Added: plugins/ldap-sync/ChangeLog ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ plugins/ldap-sync/ChangeLog Thu Mar 26 01:09:41 2009 (r5322) @@ -0,0 +1,58 @@ +$Id$ + +opensync-plugin-ldap: + +0.39: +- Upgraded to openldap-2.4.x +- Ported the whole plugin from libopensync-0.22 to libopensync-0.3x. + This involves: + -- cmake, + -- sinks, + -- new format of config file, + -- use of stylesheets for conversion, + -- sourcing out the conversion routines into a separate format plugin + -- and dozens of other API changes. +- Several issues with the TLS/SSL based encryption of the LDAP session + are fixed now. +- Authentication towards the LDAP server involves several possibilities: + -- Simple authentication + -- SASL/DIGEST-MD5 with the password being stored externally in the sasldb + works. + -- SASL/CRAM-MD5 with the password being stored externally in the sasldb + works, as well. + -- SASL/LOGIN with the password being stored externally in the sasldb, + works, as well, provided that the session is encrypted. + -- SASL/PLAIN with the password being stored externally in the sasldb, + works, as well, provided that the session is encrypted. + -- SASL/PLAIN using saslauthd which calls pam while the LDAP session + is encrypted, does NOT work. Pass-through methods would work only, + if the PLAIN mechanism was used, anyway. And the PLAIN mechanism + in turn is regarded as trust-worthy mechanism only, if the LDAP + session is encrypted... + -- SASL/GSSAPI carrying Kerberos V5 works, even though right now + there are no special/separate configuration options regarding the + "realm" and the "authzid" (TODO). Prerequisite is, as always with + Kerberos V5, that a ticket-granting ticket has been obtained + prior to running osynctool (e.g. "kinit -V ldap_user"). + -- SASL/EXTERNAL works, as well, provided that the LDAP session + is encrypted. This method does not use any password, at all. + The authentication is checked by taking the distinguished name from + the SSL/TLS certificate of the client and mapping this SSL/TLS DN + to an LDAP DN. This LDAP DN is treated as the authentication DN. + The mapping can be configured in slapd.conf (authz-regexp). +- Some smaller issues, like hangs, error messages etc. have + been resolved. +- For the time being the objtype "contact" can be mapped + either to the LDAP scheme "evolutionPerson" or to the + LDAP scheme "inetorgPerson". This can be configured. +- The other objtypes are mapped to general object classes, like + "ou:" and "document:", while some LDAP attribute names are abused + for storing "name" and "value" pairs. + + +0.22: +- The original version of the opensync-plugin-ldap was written by Gergely Santa + <ger...@te...> + + + |
