From owner-freebsd-current@freebsd.org Thu Jun 16 02:54:06 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB7CCA47D00 for ; Thu, 16 Jun 2016 02:54:06 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6426C1296 for ; Thu, 16 Jun 2016 02:54:06 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: by mail-yw0-x234.google.com with SMTP id v137so31446883ywa.3 for ; Wed, 15 Jun 2016 19:54:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FXW7sotYqoLJ6bCnbF4QE38MBqsaRoTtGZTk+uJJUyo=; b=vso+2GtBgINfjC4FZlyvOtP43ZBaBN2DT6W9XuiXaBg/gFupvkpk7r6ZCyitdY5FLw UFgqfcNCxJf+SU/G6wicUB1VzaR7uHV/Xl7mNl0spihZjHOtedGFXOhAi98k4tTc73Ky WTUMTV5t8CL1UArIDpuH/OGyZRU983C/M/D5xSdvwilNuKNaUp9Tk7E41zEzukKv7LJg cYdsVtzlUhpo68v28I8tguR+lOk94dsQPuaeewaZ8bALAlgghw6JP3Qy5HZX41LAQhTc gBnCBqmDKfBWFIQW6oSPy2DKpdbhxReJredcrBC2Px+YiSMTouBwiNKqNWV1C+pXEKpD hvKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=FXW7sotYqoLJ6bCnbF4QE38MBqsaRoTtGZTk+uJJUyo=; b=KMBaoisrNwUz+ZHpPavE/q2Glbj1ZVYHCuTxl2upcqZ3boaZKww9ah1zFJd+noBZF6 oBvT7XkkYC3j1Jr+riq5ECEwgf2+nI4w3SbUV9Ok/8LyVmYpa/7txP8Ky1HjWWBtdbQZ WIvxFfKs2gfDJ1ayyx6JblCfasTmVrsqROXzK5/aRke6X2MdKP3buD0Y42ZCgaOEF5lX iujlVmd/czAsrS/p7kchgZzRFT6HEUmoKsLSU2p5ddlj8k/yyriT3QeO4H//2hrM4eKX kzTlwhsfKaGWPAx78gVbZxj+RcW5XxBa31RTgYY0VG/qGm2rwCZD31C+NIN6lw7rYvZG FL3g== X-Gm-Message-State: ALyK8tLX+8+Xi4LO/F4V7MNGlPd2Y0a4iUVoEM8hgGveWs9ld/Ozl0UCtxTVINycQOknDfnniYDNui/IyMIIBA== X-Received: by 10.129.162.141 with SMTP id z135mr1361997ywg.50.1466045645583; Wed, 15 Jun 2016 19:54:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.10.212 with HTTP; Wed, 15 Jun 2016 19:54:04 -0700 (PDT) Reply-To: araujo@freebsd.org In-Reply-To: References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> From: Marcelo Araujo Date: Thu, 16 Jun 2016 10:54:04 +0800 Message-ID: Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: Outback Dingo Cc: Nikolai Lifanov , freebsd-current Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 02:54:06 -0000 I hear too!!! And that is why we are having this talk here around ypldap. Best, 2016-06-16 10:50 GMT+08:00 Outback Dingo : > > > On Wed, Jun 15, 2016 at 10:15 PM, Marcelo Araujo > wrote: > >> No worries Nikolai! If one day I will do it, will be on 12-RELEASE. >> >> Br, >> >> 2016-06-15 20:03 GMT+08:00 Nikolai Lifanov : >> >> > On 06/14/2016 21:05, Marcelo Araujo wrote: >> > > 2016-06-15 8:17 GMT+08:00 Chris H : >> > > >> > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo < >> > araujobsdport@gmail.com> >> > >> wrote >> > >> >> > >>> Hey, >> > >>> >> > >>> Thanks for the CFT Craig. >> > >>> >> > >>> 2016-06-09 14:41 GMT+08:00 Xin Li : >> > >>> >> > >>>> >> > >>>> >> > >>>> On 6/8/16 23:10, Craig Rodrigues wrote: >> > >>>>> Hi, >> > >>>>> >> > >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to >> FreeBSD >> > >>>>> current. >> > >>>>> >> > >>>>> In latest current, it should be possible to put in /etc/rc.conf: >> > >>>>> >> > >>>>> nis_ypldap_enable="YES" >> > >>>>> to activate the ypldap daemon. >> > >>>>> >> > >>>>> When set up properly, it should be possible to log into FreeBSD, >> and >> > >> have >> > >>>>> the backend password database come from an LDAP database such >> > >>>>> as OpenLDAP >> > >>>>> >> > >>>>> There is some documentation for setting this up, but it is OpenBSD >> > >>>> specific: >> > >>>>> >> > >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client >> > >>>>> http://puffysecurity.com/wiki/ypldap.html#2 >> > >>>>> >> > >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so >> that >> > >>>>> information >> > >>>>> does not apply. I figure that openldap from ports should work >> fine. >> > >>>>> >> > >>>>> I was wondering if there is someone out there familiar enough with >> > >> LDAP >> > >>>>> and has a setup they can test this stuff out with, provide >> feedback, >> > >> and >> > >>>>> help >> > >>>>> improve the documentation for FreeBSD? >> > >>>> >> > >>>> Looks like it would be a fun weekend project. I've cc'ed a >> potential >> > >>>> person who may be interested in this as well. >> > >>>> >> > >>>> But will this worth the effort? (I think the current implementation >> > >>>> would do everything with plaintext protocol over wire, so while it >> > >>>> extends life for legacy applications that are still using NIS/YP, >> it >> > >>>> doesn't seem to be something that we should recommend end user to >> > use?) >> > >>>> >> > >>> >> > >>> I can see two good point to use ypldap that would be basically for >> > users >> > >>> that needs to migrate from NIS to LDAP or need to make some >> integration >> > >>> between legacy(NIS) and LDAP during a transition period to LDAP. >> > >>> >> > >>> As mentioned, NIS is 'plain text' not safe by its nature, however >> there >> > >> are >> > >>> still lots of people out there using NIS, and ypldap(8) is a good >> tool >> > to >> > >>> help these people migrate to a more safe tool like LDAP. >> > >>> >> > >>> >> > >>>> >> > >>>>> I would also be interested in hearing from someone who can see if >> > >>>>> ypldap can work against a Microsoft Active Directory setup? >> > >>>> >> > >>>> Cheers, >> > >>>> >> > >>>> >> > >>> All my tests were using OpenLDAP, I used the OpenBSD documentation >> to >> > >> setup >> > >>> everything, and the file share/examples/ypldap/ypldap.conf can be a >> > good >> > >>> start to anybody that wants to start to work with ypldap(8). >> > >>> >> > >>> Would be nice hear from other users how was their experience using >> > ypldap >> > >>> with MS Active Directory and perhaps some HOWTO how they made all >> the >> > >> setup >> > >>> would be amazing to have. >> > >>> >> > >>> Also, would be useful to know who are still using NIS and what kind >> of >> > >>> setup(user case), maybe even the reason why they are still using it. >> > >> >> > >> Honestly, I think the best way to motivate people to do the right >> > thing(tm) >> > >> Would be to remove Yellow Pages from the tree, entirely. :-) >> > >> It's been dead for *years*, and as you say, isn't safe, anyway.. >> > >> >> > > >> > > Yes, I have a plan for that, but I don't believe it will happens >> before >> > > FreeBSD 12-RELEASE. >> > > >> > >> > Please don't, at least for now. NIS is fast, simple, reliable, and works >> > on first boot without additional software. I have passwords in >> > Kerberos, so the usual cons doesn't apply. This is very valuable to me. >> > >> > It's not hurting anyone. What's the motivation behind removing it? >> > > > Removing NIS is a BAD idea, there are still plenty of people that use it, > and plenty of businesses rely on it, I still hear people asking for it > > > >> > >> > > >> > >> >> > >> --Chris >> > >>> >> > >>> >> > >>> Best, >> > >>> -- >> > >>> >> > >>> -- >> > >>> Marcelo Araujo (__)araujo@FreeBSD.org >> > >>> \\\'',)http://www.FreeBSD.org \/ \ ^ >> > >>> Power To Server. .\. /_) >> > >>> _______________________________________________ >> > >>> freebsd-current@freebsd.org mailing list >> > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> > >>> To unsubscribe, send any mail to " >> > >> freebsd-current-unsubscribe@freebsd.org" >> > >> >> > >> >> > >> _______________________________________________ >> > >> freebsd-current@freebsd.org mailing list >> > >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> > >> To unsubscribe, send any mail to " >> > freebsd-current-unsubscribe@freebsd.org" >> > >> >> > > >> > > >> > > >> > >> > _______________________________________________ >> > freebsd-current@freebsd.org mailing list >> > https://lists.freebsd.org/mailman/listinfo/freebsd-current >> > To unsubscribe, send any mail to " >> freebsd-current-unsubscribe@freebsd.org" >> > >> >> >> >> -- >> >> -- >> Marcelo Araujo (__)araujo@FreeBSD.org >> \\\'',)http://www.FreeBSD.org \/ \ ^ >> Power To Server. .\. /_) >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org >> " >> > > -- -- Marcelo Araujo (__)araujo@FreeBSD.org \\\'',)http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_)