From owner-freebsd-current@freebsd.org Wed Jun 15 00:17:19 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55181AF12DC for ; Wed, 15 Jun 2016 00:17:19 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F2CE2A2D for ; Wed, 15 Jun 2016 00:17:18 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id u5F0HCGE066495 for ; Tue, 14 Jun 2016 17:17:19 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: In-Reply-To: References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net>, From: "Chris H" Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory Date: Tue, 14 Jun 2016 17:17:19 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 00:17:19 -0000 On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo wrote > Hey, > > Thanks for the CFT Craig. > > 2016-06-09 14:41 GMT+08:00 Xin Li : > > > > > > > On 6/8/16 23:10, Craig Rodrigues wrote: > > > Hi, > > > > > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD > > > current. > > > > > > In latest current, it should be possible to put in /etc/rc.conf: > > > > > > nis_ypldap_enable="YES" > > > to activate the ypldap daemon. > > > > > > When set up properly, it should be possible to log into FreeBSD, and have > > > the backend password database come from an LDAP database such > > > as OpenLDAP > > > > > > There is some documentation for setting this up, but it is OpenBSD > > specific: > > > > > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client > > > http://puffysecurity.com/wiki/ypldap.html#2 > > > > > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that > > > information > > > does not apply. I figure that openldap from ports should work fine. > > > > > > I was wondering if there is someone out there familiar enough with LDAP > > > and has a setup they can test this stuff out with, provide feedback, and > > > help > > > improve the documentation for FreeBSD? > > > > Looks like it would be a fun weekend project. I've cc'ed a potential > > person who may be interested in this as well. > > > > But will this worth the effort? (I think the current implementation > > would do everything with plaintext protocol over wire, so while it > > extends life for legacy applications that are still using NIS/YP, it > > doesn't seem to be something that we should recommend end user to use?) > > > > I can see two good point to use ypldap that would be basically for users > that needs to migrate from NIS to LDAP or need to make some integration > between legacy(NIS) and LDAP during a transition period to LDAP. > > As mentioned, NIS is 'plain text' not safe by its nature, however there are > still lots of people out there using NIS, and ypldap(8) is a good tool to > help these people migrate to a more safe tool like LDAP. > > > > > > > I would also be interested in hearing from someone who can see if > > > ypldap can work against a Microsoft Active Directory setup? > > > > Cheers, > > > > > All my tests were using OpenLDAP, I used the OpenBSD documentation to setup > everything, and the file share/examples/ypldap/ypldap.conf can be a good > start to anybody that wants to start to work with ypldap(8). > > Would be nice hear from other users how was their experience using ypldap > with MS Active Directory and perhaps some HOWTO how they made all the setup > would be amazing to have. > > Also, would be useful to know who are still using NIS and what kind of > setup(user case), maybe even the reason why they are still using it. Honestly, I think the best way to motivate people to do the right thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-) It's been dead for *years*, and as you say, isn't safe, anyway.. --Chris > > > Best, > -- > > -- > Marcelo Araujo (__)araujo@FreeBSD.org > \\\'',)http://www.FreeBSD.org \/ \ ^ > Power To Server. .\. /_) > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"