From owner-freebsd-current@freebsd.org Fri Aug 5 19:22:13 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F2C1BB061B for ; Fri, 5 Aug 2016 19:22:13 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B96E116BD for ; Fri, 5 Aug 2016 19:22:12 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id u75JM93C030131; Fri, 5 Aug 2016 21:22:09 +0200 (CEST) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id A831F691; Fri, 5 Aug 2016 21:22:08 +0200 (CEST) Message-ID: <57A4E760.40209@omnilan.de> Date: Fri, 05 Aug 2016 21:22:08 +0200 From: Harry Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Jan Bramkamp CC: FreeBSD current Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <575ACEB2.2030307@wemm.org> <6f2f1234-1d12-7796-f0b5-9da5a44585db@rlwinm.de> In-Reply-To: <6f2f1234-1d12-7796-f0b5-9da5a44585db@rlwinm.de> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Fri, 05 Aug 2016 21:22:09 +0200 (CEST) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-Mailman-Approved-At: Fri, 05 Aug 2016 20:14:54 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 19:22:13 -0000 Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime): > > > On 10/06/16 16:29, Peter Wemm wrote: >> On 6/9/16 6:49 PM, Matthew Seaman wrote: >>> On 09/06/2016 18:34, Craig Rodrigues wrote: >>>> There is still value to ypldap as it is now, and getting feedback from >>>> users (especially Active Directory) would be very useful. >>>> If someone could document a configuration which uses IPSEC or OpenSSH >>>> forwarding, that would be nice. >>>> >>>> In future, maybe someone in OpenBSD or FreeBSD will implement things >>>> like >>>> LDAP over SSL. >>> >>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ? >>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in >>> transit, and I find it works very well for using OpenLDAP as a central >>> account database. I believe it works with AD, but haven't tried that >>> myself. >>> >>> Cheers, >>> >>> Matthew >>> >>> >> >> We used nss-pam-ldapd quite successfully in the freebsd.org cluster >> during our transition away from YP/NIS, for what it's worth. > > Did you try the OpenLDAP nssov overlay? It replaces nslcd by > reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap > directly inside slapd. This allows slapd to cache or replicate the > data locally without resorting to the broken nscd. Hello, I was curious, so I made a patcheset which adds NSSOV config option to net/openldap24-server. Unfortunately I'm not getting results :( I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl – the same as defined for net/nss-pam-ldapd. Just for testing, will consider reverting that because slapd drops priviledges before creating the socket, so ldap needs write access to /var/run... Starting nslcd makes 'id ldapuser' return correct results. Stopping nslcd and starting slapd (with verified configuration – ldapsearch works as expected) just doesn't utilize slapd at all, according to the logs. Have you compiled the nss_ldap library from contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port? Thanks for hints, -harry