From owner-freebsd-current@freebsd.org  Tue Jun 14 17:25:19 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87FDDB72008
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue, 14 Jun 2016 17:25:19 +0000 (UTC)
 (envelope-from eric@vangyzen.net)
Received: from smtp.vangyzen.net (hotblack.vangyzen.net
 [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f])
 by mx1.freebsd.org (Postfix) with ESMTP id 72F862001;
 Tue, 14 Jun 2016 17:25:19 +0000 (UTC)
 (envelope-from eric@vangyzen.net)
Received: from sweettea.beer.town (unknown [76.164.8.130])
 by smtp.vangyzen.net (Postfix) with ESMTPSA id D3EFF564F9;
 Tue, 14 Jun 2016 12:25:18 -0500 (CDT)
Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active
 Directory
To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-current@freebsd.org
References: <CAG=rPVeiPvfBdnmieEHG_0Jp8ZxvTQr-sLdSkutWD5cYhdk9SA@mail.gmail.com>
 <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net>
 <CAG=rPVfjzjh=Qb8Y+FsXgoLOA0UCf_mgJu32=wHUHjPjMFjvyA@mail.gmail.com>
 <b5d81132-63e6-6d53-c97d-5c709e748e2b@FreeBSD.org>
From: Eric van Gyzen <eric@vangyzen.net>
Message-ID: <003f57a2-4df3-3cb0-0e31-4dcbd8856802@vangyzen.net>
Date: Tue, 14 Jun 2016 12:25:15 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <b5d81132-63e6-6d53-c97d-5c709e748e2b@FreeBSD.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 17:25:19 -0000

On 06/ 9/16 05:49 PM, Matthew Seaman wrote:
> On 09/06/2016 18:34, Craig Rodrigues wrote:
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database.  I believe it works with AD, but haven't tried that
> myself.

nss-pam-ldapd works very well with Active Directory.  At work, dozens of
people use it on their workstations and hundreds of people use it on the
build servers.  We've been doing this for years with no issues.  Well,
we've caused some issues for ourselves, of course...  ;)

Eric