From owner-freebsd-current@freebsd.org Sat Jun 18 15:15:58 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B91CA78741 for ; Sat, 18 Jun 2016 15:15:58 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E55A1FAB for ; Sat, 18 Jun 2016 15:15:58 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-oi0-x22d.google.com with SMTP id p204so156331188oih.3 for ; Sat, 18 Jun 2016 08:15:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Kha/i6+iia8FYg/C5OIq5SMd2N6evqtwS5quFAGHbVc=; b=PwqY0NaCXZkR8vRhwhqM9AZK0pa9280KfzpOz1gQsz5kpIeYTN0iwN3cH82J4btl3s M2ysy+MyEDN6/qXLBSHyisFfyrhCXCGc7E9Bs8Wm5Ki8l0xNEceqiOsdPLKUjNIBfXyt XOw8fI4iWcvJ4M6G0jD7RultDmVxKtBMRt9WlbYzX7TLeN30ffbVDaDZAAOusKG4PJWw CfrPHMB2IOCMVKnYwY/+vMJAj6zm5xSy1+E4phbPYHsGqeMq9MSe+UW688Ob8UZw4t6X 7AhXL6F0mhT0ovQlOhjVvv5qu/P0DbUf3KEkCdB3gLlJ16mkPLseVHc5MUxpEtsKqpgZ I2sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Kha/i6+iia8FYg/C5OIq5SMd2N6evqtwS5quFAGHbVc=; b=kV33yr7up8xQyA3Aa8FrDj8V098930DDBcxL+FfNMOT/rD0u1u7SpoXwlsHBLJXC7f zWsFjRwLeOYhk1Az+Dp0ClKOr2P8B4U71idxrsXqCQGe0Ae2CDfwQURR3awAqKwCIwrq bpJXlhJiu1MXXQ6X61Y/oBDpmmCoRw6qO7YELT8ZL2DOxAHfXkNksnhRdFnSnVgEUBv4 SIJZE4HEHHe5fun5i456ENEKA2l2o+7f9Q/WktyAvqEnGFhF6nPc3m251Jm45g9btVJa /qNLnULPVXYOsACEQQVfYiLfZv+MvOWYCMaIU4mYGFOaiM5I6oKMFkIjeOArjhuCbDQB 6jAg== X-Gm-Message-State: ALyK8tJfWAM0XrS1ijws/bkgDANYlfwD944TpNlnRi7/+Se7yiXFGWpEtnaoNG3d8Q2T0C21OPVoY7V1oXUfmA== X-Received: by 10.202.81.145 with SMTP id f139mr4293087oib.174.1466262957063; Sat, 18 Jun 2016 08:15:57 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.202.102.206 with HTTP; Sat, 18 Jun 2016 08:15:56 -0700 (PDT) In-Reply-To: References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> From: Alan Somers Date: Sat, 18 Jun 2016 09:15:56 -0600 X-Google-Sender-Auth: po5UHE8vYdKmuKGq4TcVN9aLZbs Message-ID: Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: Chris H Cc: FreeBSD CURRENT Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jun 2016 15:15:58 -0000 On Thu, Jun 16, 2016 at 7:20 AM, Chris H wrote: > On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov > wrote > >> On 06/14/2016 21:05, Marcelo Araujo wrote: >> > 2016-06-15 8:17 GMT+08:00 Chris H : >> > >> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo >> >> wrote >> >> >> >>> Hey, >> >>> >> >>> Thanks for the CFT Craig. >> >>> >> >>> 2016-06-09 14:41 GMT+08:00 Xin Li : >> >>> >> >>>> >> >>>> >> >>>> On 6/8/16 23:10, Craig Rodrigues wrote: >> >>>>> Hi, >> >>>>> >> >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD >> >>>>> current. >> >>>>> >> >>>>> In latest current, it should be possible to put in /etc/rc.conf: >> >>>>> >> >>>>> nis_ypldap_enable="YES" >> >>>>> to activate the ypldap daemon. >> >>>>> >> >>>>> When set up properly, it should be possible to log into FreeBSD, and >> >> have >> >>>>> the backend password database come from an LDAP database such >> >>>>> as OpenLDAP >> >>>>> >> >>>>> There is some documentation for setting this up, but it is OpenBSD >> >>>> specific: >> >>>>> >> >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client >> >>>>> http://puffysecurity.com/wiki/ypldap.html#2 >> >>>>> >> >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that >> >>>>> information >> >>>>> does not apply. I figure that openldap from ports should work fine. >> >>>>> >> >>>>> I was wondering if there is someone out there familiar enough with >> >> LDAP >> >>>>> and has a setup they can test this stuff out with, provide feedback, >> >> and >> >>>>> help >> >>>>> improve the documentation for FreeBSD? >> >>>> >> >>>> Looks like it would be a fun weekend project. I've cc'ed a potential >> >>>> person who may be interested in this as well. >> >>>> >> >>>> But will this worth the effort? (I think the current implementation >> >>>> would do everything with plaintext protocol over wire, so while it >> >>>> extends life for legacy applications that are still using NIS/YP, it >> >>>> doesn't seem to be something that we should recommend end user to use?) >> >>>> >> >>> >> >>> I can see two good point to use ypldap that would be basically for users >> >>> that needs to migrate from NIS to LDAP or need to make some integration >> >>> between legacy(NIS) and LDAP during a transition period to LDAP. >> >>> >> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there >> >> are >> >>> still lots of people out there using NIS, and ypldap(8) is a good tool to >> >>> help these people migrate to a more safe tool like LDAP. >> >>> >> >>> >> >>>> >> >>>>> I would also be interested in hearing from someone who can see if >> >>>>> ypldap can work against a Microsoft Active Directory setup? >> >>>> >> >>>> Cheers, >> >>>> >> >>>> >> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to >> >> setup >> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a good >> >>> start to anybody that wants to start to work with ypldap(8). >> >>> >> >>> Would be nice hear from other users how was their experience using ypldap >> >>> with MS Active Directory and perhaps some HOWTO how they made all the >> >> setup >> >>> would be amazing to have. >> >>> >> >>> Also, would be useful to know who are still using NIS and what kind of >> >>> setup(user case), maybe even the reason why they are still using it. >> >> >> >> Honestly, I think the best way to motivate people to do the right >> >> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-) >> >> It's been dead for *years*, and as you say, isn't safe, anyway.. >> >> >> > >> > Yes, I have a plan for that, but I don't believe it will happens before >> > FreeBSD 12-RELEASE. >> > >> >> Please don't, at least for now. NIS is fast, simple, reliable, and works >> on first boot without additional software. I have passwords in >> Kerberos, so the usual cons doesn't apply. This is very valuable to me. >> >> It's not hurting anyone. What's the motivation behind removing it? > > In all honesty, my comment was somewhat tongue-in-cheek. But from > a purely maintenance POV, at this point in time. I think the Yellow > Pages are better suited for the ports tree, than in $BASE. > It will be hard to wean people off of NIS as long as KGSSAPI is disabled in GENERIC. Does anybody know why it isn't enabled by default? -Alan