From owner-freebsd-current@freebsd.org Thu Jun 16 02:15:54 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AC7BA474CE for ; Thu, 16 Jun 2016 02:15:54 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2539A1E38 for ; Thu, 16 Jun 2016 02:15:54 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: by mail-yw0-x236.google.com with SMTP id c72so30759981ywb.1 for ; Wed, 15 Jun 2016 19:15:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=EmPcaTC/3rSqyVcgY8AcZiNBIjf7fwo956OmTg8VTvE=; b=pwnWNttVIjSKBBpyikUq3x67HJ0ttxWoLYvQ0EAktsYp4Fay7UO5S32KmIUYAAqAkh b5AqXBpkn/8aX82aWJYzr2db/xQCmhmwCozc2rTpcQd1Sk9L+f4b/4ImYjYCNXz8L4br h51KWIRxsjjYbBNrMIcO2+oFCauZ1ny9xC0PuAl22WFFGrSLUrRRmAqXUHIcyR3nyxFB ooz1futK1LTzPkr7ATpSo5vqnkEz+kUf9uTdCbWqT7EoojFVgTPBL/C07VO78TpvlKR7 mzV/hhYzsIe4OOunLNjkBflJUKkFNw8UqfDVzJbBO0j8Q9nE/IySxoTkRwSmvLChK4Of Iexw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=EmPcaTC/3rSqyVcgY8AcZiNBIjf7fwo956OmTg8VTvE=; b=APNBqFzEsvEkerhihLz71Nh5/Ij+W6mhVJXab/Q87k05Em+wg2hL7S3NaGvWPIxS+m WlXUm8RUe0jzxNnuH0qHwCI+HAZBoIpR+wzSvHlEbAKqWm11HtrQ9roU/JlLEQ/LGMqv PgFxLuIt9ZC0ILYAcvcFISVLR5qSt+3Eq4w4STTJSPIaXwFUjICQKtxJKx8xUrtVOwHF /32sBNzoITyMA22s7jTnlHK+0x2K+e3eSUrFtSI1FpXjt3E1tva2SXTsFLRiyZm/gczx B7kL99wUIHHEtwXrIsCZZFr5rjxYEhbt4wIxcccj5UJle6YGtVwnPG/wktv9N6meoFOx Fwig== X-Gm-Message-State: ALyK8tLwhBYiHmMN9gEtO/dXbo3Sk1GVml3QcXIIBpOoK7I4DDIQNTOuT6sBiZMu0sInbqkQP0jLRyBkjtZA7A== X-Received: by 10.129.137.129 with SMTP id z123mr1236693ywf.101.1466043353225; Wed, 15 Jun 2016 19:15:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.10.212 with HTTP; Wed, 15 Jun 2016 19:15:52 -0700 (PDT) Reply-To: araujo@freebsd.org In-Reply-To: References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> From: Marcelo Araujo Date: Thu, 16 Jun 2016 10:15:52 +0800 Message-ID: Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: Nikolai Lifanov Cc: freebsd-current Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 02:15:54 -0000 No worries Nikolai! If one day I will do it, will be on 12-RELEASE. Br, 2016-06-15 20:03 GMT+08:00 Nikolai Lifanov : > On 06/14/2016 21:05, Marcelo Araujo wrote: > > 2016-06-15 8:17 GMT+08:00 Chris H : > > > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo < > araujobsdport@gmail.com> > >> wrote > >> > >>> Hey, > >>> > >>> Thanks for the CFT Craig. > >>> > >>> 2016-06-09 14:41 GMT+08:00 Xin Li : > >>> > >>>> > >>>> > >>>> On 6/8/16 23:10, Craig Rodrigues wrote: > >>>>> Hi, > >>>>> > >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD > >>>>> current. > >>>>> > >>>>> In latest current, it should be possible to put in /etc/rc.conf: > >>>>> > >>>>> nis_ypldap_enable="YES" > >>>>> to activate the ypldap daemon. > >>>>> > >>>>> When set up properly, it should be possible to log into FreeBSD, and > >> have > >>>>> the backend password database come from an LDAP database such > >>>>> as OpenLDAP > >>>>> > >>>>> There is some documentation for setting this up, but it is OpenBSD > >>>> specific: > >>>>> > >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client > >>>>> http://puffysecurity.com/wiki/ypldap.html#2 > >>>>> > >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that > >>>>> information > >>>>> does not apply. I figure that openldap from ports should work fine. > >>>>> > >>>>> I was wondering if there is someone out there familiar enough with > >> LDAP > >>>>> and has a setup they can test this stuff out with, provide feedback, > >> and > >>>>> help > >>>>> improve the documentation for FreeBSD? > >>>> > >>>> Looks like it would be a fun weekend project. I've cc'ed a potential > >>>> person who may be interested in this as well. > >>>> > >>>> But will this worth the effort? (I think the current implementation > >>>> would do everything with plaintext protocol over wire, so while it > >>>> extends life for legacy applications that are still using NIS/YP, it > >>>> doesn't seem to be something that we should recommend end user to > use?) > >>>> > >>> > >>> I can see two good point to use ypldap that would be basically for > users > >>> that needs to migrate from NIS to LDAP or need to make some integration > >>> between legacy(NIS) and LDAP during a transition period to LDAP. > >>> > >>> As mentioned, NIS is 'plain text' not safe by its nature, however there > >> are > >>> still lots of people out there using NIS, and ypldap(8) is a good tool > to > >>> help these people migrate to a more safe tool like LDAP. > >>> > >>> > >>>> > >>>>> I would also be interested in hearing from someone who can see if > >>>>> ypldap can work against a Microsoft Active Directory setup? > >>>> > >>>> Cheers, > >>>> > >>>> > >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to > >> setup > >>> everything, and the file share/examples/ypldap/ypldap.conf can be a > good > >>> start to anybody that wants to start to work with ypldap(8). > >>> > >>> Would be nice hear from other users how was their experience using > ypldap > >>> with MS Active Directory and perhaps some HOWTO how they made all the > >> setup > >>> would be amazing to have. > >>> > >>> Also, would be useful to know who are still using NIS and what kind of > >>> setup(user case), maybe even the reason why they are still using it. > >> > >> Honestly, I think the best way to motivate people to do the right > thing(tm) > >> Would be to remove Yellow Pages from the tree, entirely. :-) > >> It's been dead for *years*, and as you say, isn't safe, anyway.. > >> > > > > Yes, I have a plan for that, but I don't believe it will happens before > > FreeBSD 12-RELEASE. > > > > Please don't, at least for now. NIS is fast, simple, reliable, and works > on first boot without additional software. I have passwords in > Kerberos, so the usual cons doesn't apply. This is very valuable to me. > > It's not hurting anyone. What's the motivation behind removing it? > > > > >> > >> --Chris > >>> > >>> > >>> Best, > >>> -- > >>> > >>> -- > >>> Marcelo Araujo (__)araujo@FreeBSD.org > >>> \\\'',)http://www.FreeBSD.org \/ \ ^ > >>> Power To Server. .\. /_) > >>> _______________________________________________ > >>> freebsd-current@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current > >>> To unsubscribe, send any mail to " > >> freebsd-current-unsubscribe@freebsd.org" > >> > >> > >> _______________________________________________ > >> freebsd-current@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-current > >> To unsubscribe, send any mail to " > freebsd-current-unsubscribe@freebsd.org" > >> > > > > > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > -- -- Marcelo Araujo (__)araujo@FreeBSD.org \\\'',)http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_)