From owner-freebsd-current@freebsd.org Thu Jun 9 09:55:59 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ADB14AEEC0D for ; Thu, 9 Jun 2016 09:55:59 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C5A9122E; Thu, 9 Jun 2016 09:55:59 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: by mail-yw0-x22a.google.com with SMTP id g20so32606157ywb.0; Thu, 09 Jun 2016 02:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1BTFQMHjAAYWKEEkBzmI+TebeBtKWbZt70vXl67kOf4=; b=Hcg22Yuf7koHHGNZv9o+KY2oJ4llIayXiKXCUQProMMjbyzgeVU9JLcQcdy6ZUOSRI mE1VbC6LVRKUqtFkRiRQheNHehT2gmO488iLumcagNXb3ejr7vQEEd5xdmLDayWGGCDk BzxNIoRdWCA54jF7JjpIFqOwL43JDJKI8dCLTuk7OipM2pSmAkzRv7QTkhb6hhcyltBc NRS4WKgMUbIKcCKpPvVccX1TZxHTlQpCNQ2sgJ3F8u4qdzzZPKF3d45Icv/i0jUx1ad9 S6WTEFAPFAvjqL86EnguV3YBkQL4cjRAE90YLlmtm1KtqCMIxHnsqOjyDc4LEOo6sOc8 Np7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=1BTFQMHjAAYWKEEkBzmI+TebeBtKWbZt70vXl67kOf4=; b=b9N+Y+ZmnA/6riKZ3YUafX2jIa5uJBFdFwYvstPu8R3ogqSON3TEAs9MA5+GSS+8G/ MWS2mPyGoZS5Hm9bKc5l/mljYGiuRjHfCPnVpw3APPrDlx0J4kMZEUBLsw9ye6czFAVd 2EUNolyg4r80JbhzpNyc7fHJvnqUjaYzdkIqjMO6rtPjLTRkgufknHMuHo45YFR9/UdR DD7HDCBrXATf9nn6KCmtm62c3WHtb9p5dLhthKqMdUXsPz15buBO6q9fumrd93yROw+Y OzCgaWQME/+Q2tOmKoV6PCclV4Qa/j2s0m1Z6i3nvSjGTbHSCpfBsYY77HzuaiaXqhke 4zcg== X-Gm-Message-State: ALyK8tKkfvSjD/EzwCn/Q8jcuIj3Z8dppm6gqg5vVdgKX9kJ5s6L8DRBLStsmTbIOV8QSOrCmh6T+Exr23PVtg== X-Received: by 10.129.89.212 with SMTP id n203mr5928097ywb.102.1465466158541; Thu, 09 Jun 2016 02:55:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.10.212 with HTTP; Thu, 9 Jun 2016 02:55:58 -0700 (PDT) Reply-To: araujo@freebsd.org In-Reply-To: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> From: Marcelo Araujo Date: Thu, 9 Jun 2016 17:55:58 +0800 Message-ID: Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: Xin Li Cc: Craig Rodrigues , freebsd-current Current , Xin LI , =?UTF-8?B?6LW15paw?= Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2016 09:55:59 -0000 Hey, Thanks for the CFT Craig. 2016-06-09 14:41 GMT+08:00 Xin Li : > > > On 6/8/16 23:10, Craig Rodrigues wrote: > > Hi, > > > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD > > current. > > > > In latest current, it should be possible to put in /etc/rc.conf: > > > > nis_ypldap_enable="YES" > > to activate the ypldap daemon. > > > > When set up properly, it should be possible to log into FreeBSD, and have > > the backend password database come from an LDAP database such > > as OpenLDAP > > > > There is some documentation for setting this up, but it is OpenBSD > specific: > > > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client > > http://puffysecurity.com/wiki/ypldap.html#2 > > > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that > > information > > does not apply. I figure that openldap from ports should work fine. > > > > I was wondering if there is someone out there familiar enough with LDAP > > and has a setup they can test this stuff out with, provide feedback, and > > help > > improve the documentation for FreeBSD? > > Looks like it would be a fun weekend project. I've cc'ed a potential > person who may be interested in this as well. > > But will this worth the effort? (I think the current implementation > would do everything with plaintext protocol over wire, so while it > extends life for legacy applications that are still using NIS/YP, it > doesn't seem to be something that we should recommend end user to use?) > I can see two good point to use ypldap that would be basically for users that needs to migrate from NIS to LDAP or need to make some integration between legacy(NIS) and LDAP during a transition period to LDAP. As mentioned, NIS is 'plain text' not safe by its nature, however there are still lots of people out there using NIS, and ypldap(8) is a good tool to help these people migrate to a more safe tool like LDAP. > > > I would also be interested in hearing from someone who can see if > > ypldap can work against a Microsoft Active Directory setup? > > Cheers, > > All my tests were using OpenLDAP, I used the OpenBSD documentation to setup everything, and the file share/examples/ypldap/ypldap.conf can be a good start to anybody that wants to start to work with ypldap(8). Would be nice hear from other users how was their experience using ypldap with MS Active Directory and perhaps some HOWTO how they made all the setup would be amazing to have. Also, would be useful to know who are still using NIS and what kind of setup(user case), maybe even the reason why they are still using it. Best, -- -- Marcelo Araujo (__)araujo@FreeBSD.org \\\'',)http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_)