Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Jun 2016 09:15:56 -0600
From:      Alan Somers <asomers@freebsd.org>
To:        Chris H <bsd-lists@bsdforge.com>
Cc:        FreeBSD CURRENT <freebsd-current@freebsd.org>
Subject:   Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory
Message-ID:  <CAOtMX2joHt=%2BM_R8fPtMjEB7rdQAOf0hN1CErhdL9_iVRQW8WQ@mail.gmail.com>
In-Reply-To: <d217344675ba66054c34c64e544b6ce0@ultimatedns.net>
References:  <CAG=rPVeiPvfBdnmieEHG_0Jp8ZxvTQr-sLdSkutWD5cYhdk9SA@mail.gmail.com> <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <CAOfEmZhkfxBcvDPS5tBYLXnHuzHJ7X7B2j6=BRBHquc8=bevGg@mail.gmail.com> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> <CAOfEmZhj9ysd%2BmvDj_c51SqyzLxqpqdhivdK_w3QWXzqRuqpWg@mail.gmail.com> <c7717530-bc7d-30c4-1371-a82ad1bc0f0d@mail.lifanov.com> <d217344675ba66054c34c64e544b6ce0@ultimatedns.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 16, 2016 at 7:20 AM, Chris H <bsd-lists@bsdforge.com> wrote:
> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov <lifanov@mail.lifanov.com>
> wrote
>
>> On 06/14/2016 21:05, Marcelo Araujo wrote:
>> > 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists@bsdforge.com>:
>> >
>> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujobsdport@gmail.com>
>> >> wrote
>> >>
>> >>> Hey,
>> >>>
>> >>> Thanks for the CFT Craig.
>> >>>
>> >>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij@delphij.net>:
>> >>>
>> >>>>
>> >>>>
>> >>>> On 6/8/16 23:10, Craig Rodrigues wrote:
>> >>>>> Hi,
>> >>>>>
>> >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
>> >>>>> current.
>> >>>>>
>> >>>>> In latest current, it should be possible to put in /etc/rc.conf:
>> >>>>>
>> >>>>> nis_ypldap_enable="YES"
>> >>>>> to activate the ypldap daemon.
>> >>>>>
>> >>>>> When set up properly, it should be possible to log into FreeBSD, and
>> >> have
>> >>>>> the backend password database come from an LDAP database such
>> >>>>> as OpenLDAP
>> >>>>>
>> >>>>> There is some documentation for setting this up, but it is OpenBSD
>> >>>> specific:
>> >>>>>
>> >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
>> >>>>> http://puffysecurity.com/wiki/ypldap.html#2
>> >>>>>
>> >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
>> >>>>> information
>> >>>>> does not apply.  I figure that openldap from ports should work fine.
>> >>>>>
>> >>>>> I was wondering if there is someone out there familiar enough with
>> >> LDAP
>> >>>>> and has a setup they can test this stuff out with, provide feedback,
>> >> and
>> >>>>> help
>> >>>>> improve the documentation for FreeBSD?
>> >>>>
>> >>>> Looks like it would be a fun weekend project.  I've cc'ed a potential
>> >>>> person who may be interested in this as well.
>> >>>>
>> >>>> But will this worth the effort? (I think the current implementation
>> >>>> would do everything with plaintext protocol over wire, so while it
>> >>>> extends life for legacy applications that are still using NIS/YP, it
>> >>>> doesn't seem to be something that we should recommend end user to use?)
>> >>>>
>> >>>
>> >>> I can see two good point to use ypldap that would be basically for users
>> >>> that needs to migrate from NIS to LDAP or need to make some integration
>> >>> between legacy(NIS) and LDAP during a transition period to LDAP.
>> >>>
>> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there
>> >> are
>> >>> still lots of people out there using NIS, and ypldap(8) is a good tool to
>> >>> help these people migrate to a more safe tool like LDAP.
>> >>>
>> >>>
>> >>>>
>> >>>>> I would also be interested in hearing from someone who can see if
>> >>>>> ypldap can work against a Microsoft Active Directory setup?
>> >>>>
>> >>>> Cheers,
>> >>>>
>> >>>>
>> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
>> >> setup
>> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a good
>> >>> start to anybody that wants to start to work with ypldap(8).
>> >>>
>> >>> Would be nice hear from other users how was their experience using ypldap
>> >>> with MS Active Directory and perhaps some HOWTO how they made all the
>> >> setup
>> >>> would be amazing to have.
>> >>>
>> >>> Also, would be useful to know who are still using NIS and what kind of
>> >>> setup(user case), maybe even the reason why they are still using it.
>> >>
>> >> Honestly, I think the best way to motivate people to do the right
>> >> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
>> >> It's been dead for *years*, and as you say, isn't safe, anyway..
>> >>
>> >
>> > Yes, I have a plan for that, but I don't believe it will happens before
>> > FreeBSD 12-RELEASE.
>> >
>>
>> Please don't, at least for now. NIS is fast, simple, reliable, and works
>> on first boot without additional software. I have passwords in
>> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>>
>> It's not hurting anyone. What's the motivation behind removing it?
>
> In all honesty, my comment was somewhat tongue-in-cheek. But from
> a purely maintenance POV, at this point in time. I think the Yellow
> Pages are better suited for the ports tree, than in $BASE.
>

It will be hard to wean people off of NIS as long as KGSSAPI is
disabled in GENERIC.  Does anybody know why it isn't enabled by
default?

-Alan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2joHt=%2BM_R8fPtMjEB7rdQAOf0hN1CErhdL9_iVRQW8WQ>