From owner-freebsd-stable@freebsd.org Wed Aug 3 09:36:49 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33ACEBAB2DF for ; Wed, 3 Aug 2016 09:36:49 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7D601707; Wed, 3 Aug 2016 09:36:48 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id u739ajft096405; Wed, 3 Aug 2016 11:36:45 +0200 (CEST) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 8DAA81DE; Wed, 3 Aug 2016 11:36:44 +0200 (CEST) Message-ID: <57A1BB2B.2060504@omnilan.de> Date: Wed, 03 Aug 2016 11:36:43 +0200 From: Harry Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: FreeBSD Stable CC: araujo@freebsd.org, Craig Rodrigues Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory References: <57A0BDF7.6020602@omnilan.de> <57A0DD0C.4050106@omnilan.de> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Wed, 03 Aug 2016 11:36:45 +0200 (CEST) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2016 09:36:49 -0000 Bezüglich Craig Rodrigues's Nachricht vom 02.08.2016 22:31 (localtime): > Thanks for the feedback. Please consider posting your questions > on freebsd-current so that other people can jump in and help > answer your questions. > > I don't have an LDAP server to test against, so don't know the answer > to all your questions. > > What type of LDAP server are you testing against? Is it Active Directory? Thanks for your response! In this (productive) environment I use OpenLDAP with core, cosine, nis and sambaSchema, But I'd also have MS-Active Directories to test against, once I get it working and switching to stable/11 in other setups too. Found your question https://reviews.freebsd.org/D4744#142095 which makes me wonder if ypldap(8) has been successfully used in FreeBSD at all yet? Unfortunately I don't have time to help finding integration problems and I'm not familar with NIS subsystem at all, so all I can contribute is questions :-( And a short summary which might help others joining ypldap(8) testing under FreeBSD-11: – 'ypldap -vd' gives reasonable output and does query the LDAP server defined in the directory "" {} section, where it looks you can use any form of IP/hostname, including IPv6 addresses without any braces. – If run in foreground, it registers service "ypserv" version 2 only with rpcbind. – 'ypcat passwd.byname' just doesn't work, same is true for 'id'. No interaction at all with ypldap(8) seems to happen, no errors/results. – When stopping ypldap(8) from foreground, it does NOT unregister ypserv service! The same is true if you run ypldap(8) in background, started without running ypserv(8) – If started by rc.d script, yp_serv_(8) registers service ypserv version 1 and 2, before ypldap(8) overrides service ypserv version 2. – 'ypcat passwd.byname' _sometimes_ responds with this error: clnttcp_create failed ypcat: no such map passwd.byname. Reason: Can't communicate with portmapper – ypldap(8) doesn't connect to the server at all when started by rc.d. – When stopping ypldap(8) only, keeping ypserv (started by rc.d/ypldap) running and starting ypldap(8) in the foreground, LDAP server connection gets established and again sensible maps are shown, followed by regular: connecting to directories searching password entries searching group entries In that state ypcat results in: yp_all: clnt_call: RPC: Authentication error; why = Failed (unspecified error) yp_all: clnt_call: RPC: Authentication error; why = Failed (unspecified error) … repeat 19 more times … ypcat: no such map passwd.byname. Reason: RPC failure – After some minutes, ypcat doesn't respond with any errors/results again. ldap.conf(5) contradicts to https://svnweb.freebsd.org/base?view=revision&revision=301480. The latter (rc.d start script by Marcelo Araujo, CC'ed) starts ypserv(8) as dependency, the former claims ypldap(8) and ypserv(8) are mutual exclusive. Since I have no clue how ypldap(8) is designed to integrate with NIS/YP, I don't know how to start finding the root of presently existing problems – with or without ypserv(8)?! Right now, ypldap(8) in stable/11 doesn't enable LDAP maintained users for me. This should either be solved before 11-RELEASE or, if _nobody_ else can confirm it's working, /etc/rc.d/ypldap needs to be suspended for 11-RELEASE and live in CURRENT until functional. Any hints very welcome, but for now I'll have to switch back to nslcd(8). Since CURRENT turned to stable/11 in the meantime, I'm posting to stable@ referencing the original post: https://lists.freebsd.org/pipermail/freebsd-current/2016-June/061775.html > On Tue, Aug 2, 2016 at 10:49 AM, Harald Schmalzbauer > > wrote: > > Bezüglich Harald Schmalzbauer's Nachricht vom 02.08.2016 17:36 > (localtime): > … > > > How can I define the host to which ypldap connects for LDAP > queries? Is > > it "directory"? What syntax is allowed, FQDN, IPs, IP6-spelling? > > > > Tried a lot but always end up in ypldap[6960]: fatal: getpwnam: > Socket > > is not connected > > Hello, I made some progress :-) > > "fatal: getpwnam: Socket is not connected" was due to my outdated > master.passwd, missing the _ypldap account. > The "directory" seems to define the host to connect with any > adressing; > IPv6 adresses wok just as they are notated every where qre without any > braces. Will try to find out what about unqualified host names and > hosts > with A and AAAA records... > > I couldn't figure out if ypserv(8) is needed to authenticate LDAP > users > on the local host, where ypldap(8) runs. > > Running ypldap in foreground gives lot of reasonable output like > "pushing line: ..." with vaild content. > So contacting, binding and querying the LDAP seems to work :-) > > Unfortunately 'ypcat passwd.byname' and 'id someldapuser' do not > work – > neither with ypserv started nor without. > > Will look in the code again, perhaps I can find more hints. Any help > appreciated. > > Thanks, > > -Harry > >