From owner-freebsd-current@freebsd.org Mon Jun 13 12:46:07 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1897CAF1DE4 for ; Mon, 13 Jun 2016 12:46:07 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D84FA28F4 for ; Mon, 13 Jun 2016 12:46:06 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from vader9.bultmann.eu (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id A294A17F6 for ; Mon, 13 Jun 2016 14:46:04 +0200 (CEST) Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: freebsd-current@freebsd.org References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <575ACEB2.2030307@wemm.org> From: Jan Bramkamp Message-ID: <6f2f1234-1d12-7796-f0b5-9da5a44585db@rlwinm.de> Date: Mon, 13 Jun 2016 14:46:04 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <575ACEB2.2030307@wemm.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2016 12:46:07 -0000 On 10/06/16 16:29, Peter Wemm wrote: > On 6/9/16 6:49 PM, Matthew Seaman wrote: >> On 09/06/2016 18:34, Craig Rodrigues wrote: >>> There is still value to ypldap as it is now, and getting feedback from >>> users (especially Active Directory) would be very useful. >>> If someone could document a configuration which uses IPSEC or OpenSSH >>> forwarding, that would be nice. >>> >>> In future, maybe someone in OpenBSD or FreeBSD will implement things >>> like >>> LDAP over SSL. >> >> What advantages does ypldap offer over nss-pam-ldapd (in ports) ? >> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in >> transit, and I find it works very well for using OpenLDAP as a central >> account database. I believe it works with AD, but haven't tried that >> myself. >> >> Cheers, >> >> Matthew >> >> > > We used nss-pam-ldapd quite successfully in the freebsd.org cluster > during our transition away from YP/NIS, for what it's worth. Did you try the OpenLDAP nssov overlay? It replaces nslcd by reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap directly inside slapd. This allows slapd to cache or replicate the data locally without resorting to the broken nscd.