Date: Tue, 21 Jun 2016 10:36:52 -0600 From: Alan Somers <asomers@freebsd.org> To: Jan Bramkamp <crest@rlwinm.de> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory Message-ID: <CAOtMX2hoWbw1-BNFd8C0UDtxq8OP=A9oGtqto-18oXoLD_Zxyw@mail.gmail.com> In-Reply-To: <975a9e3d-c7c5-6ed1-9985-5f5d99050d8f@rlwinm.de> References: <CAG=rPVeiPvfBdnmieEHG_0Jp8ZxvTQr-sLdSkutWD5cYhdk9SA@mail.gmail.com> <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <CAOfEmZhkfxBcvDPS5tBYLXnHuzHJ7X7B2j6=BRBHquc8=bevGg@mail.gmail.com> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> <CAOfEmZhj9ysd%2BmvDj_c51SqyzLxqpqdhivdK_w3QWXzqRuqpWg@mail.gmail.com> <c7717530-bc7d-30c4-1371-a82ad1bc0f0d@mail.lifanov.com> <d217344675ba66054c34c64e544b6ce0@ultimatedns.net> <CAOtMX2joHt=%2BM_R8fPtMjEB7rdQAOf0hN1CErhdL9_iVRQW8WQ@mail.gmail.com> <975a9e3d-c7c5-6ed1-9985-5f5d99050d8f@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 21, 2016 at 9:55 AM, Jan Bramkamp <crest@rlwinm.de> wrote: > On 18/06/16 17:15, Alan Somers wrote: >> >> On Thu, Jun 16, 2016 at 7:20 AM, Chris H <bsd-lists@bsdforge.com> wrote: >>> >>> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov >>> <lifanov@mail.lifanov.com> >>> wrote >>> >>>> On 06/14/2016 21:05, Marcelo Araujo wrote: >>>>> >>>>> 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists@bsdforge.com>: >>>>> >>>>>> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo >>>>>> <araujobsdport@gmail.com> >>>>>> wrote >>>>>> >>>>>>> Hey, >>>>>>> >>>>>>> Thanks for the CFT Craig. >>>>>>> >>>>>>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij@delphij.net>: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 6/8/16 23:10, Craig Rodrigues wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to >>>>>>>>> FreeBSD >>>>>>>>> current. >>>>>>>>> >>>>>>>>> In latest current, it should be possible to put in /etc/rc.conf: >>>>>>>>> >>>>>>>>> nis_ypldap_enable="YES" >>>>>>>>> to activate the ypldap daemon. >>>>>>>>> >>>>>>>>> When set up properly, it should be possible to log into FreeBSD, >>>>>>>>> and >>>>>> >>>>>> have >>>>>>>>> >>>>>>>>> the backend password database come from an LDAP database such >>>>>>>>> as OpenLDAP >>>>>>>>> >>>>>>>>> There is some documentation for setting this up, but it is OpenBSD >>>>>>>> >>>>>>>> specific: >>>>>>>>> >>>>>>>>> >>>>>>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client >>>>>>>>> http://puffysecurity.com/wiki/ypldap.html#2 >>>>>>>>> >>>>>>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so >>>>>>>>> that >>>>>>>>> information >>>>>>>>> does not apply. I figure that openldap from ports should work >>>>>>>>> fine. >>>>>>>>> >>>>>>>>> I was wondering if there is someone out there familiar enough with >>>>>> >>>>>> LDAP >>>>>>>>> >>>>>>>>> and has a setup they can test this stuff out with, provide >>>>>>>>> feedback, >>>>>> >>>>>> and >>>>>>>>> >>>>>>>>> help >>>>>>>>> improve the documentation for FreeBSD? >>>>>>>> >>>>>>>> >>>>>>>> Looks like it would be a fun weekend project. I've cc'ed a >>>>>>>> potential >>>>>>>> person who may be interested in this as well. >>>>>>>> >>>>>>>> But will this worth the effort? (I think the current implementation >>>>>>>> would do everything with plaintext protocol over wire, so while it >>>>>>>> extends life for legacy applications that are still using NIS/YP, it >>>>>>>> doesn't seem to be something that we should recommend end user to >>>>>>>> use?) >>>>>>>> >>>>>>> >>>>>>> I can see two good point to use ypldap that would be basically for >>>>>>> users >>>>>>> that needs to migrate from NIS to LDAP or need to make some >>>>>>> integration >>>>>>> between legacy(NIS) and LDAP during a transition period to LDAP. >>>>>>> >>>>>>> As mentioned, NIS is 'plain text' not safe by its nature, however >>>>>>> there >>>>>> >>>>>> are >>>>>>> >>>>>>> still lots of people out there using NIS, and ypldap(8) is a good >>>>>>> tool to >>>>>>> help these people migrate to a more safe tool like LDAP. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>>> I would also be interested in hearing from someone who can see if >>>>>>>>> ypldap can work against a Microsoft Active Directory setup? >>>>>>>> >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> >>>>>>> All my tests were using OpenLDAP, I used the OpenBSD documentation to >>>>>> >>>>>> setup >>>>>>> >>>>>>> everything, and the file share/examples/ypldap/ypldap.conf can be a >>>>>>> good >>>>>>> start to anybody that wants to start to work with ypldap(8). >>>>>>> >>>>>>> Would be nice hear from other users how was their experience using >>>>>>> ypldap >>>>>>> with MS Active Directory and perhaps some HOWTO how they made all the >>>>>> >>>>>> setup >>>>>>> >>>>>>> would be amazing to have. >>>>>>> >>>>>>> Also, would be useful to know who are still using NIS and what kind >>>>>>> of >>>>>>> setup(user case), maybe even the reason why they are still using it. >>>>>> >>>>>> >>>>>> Honestly, I think the best way to motivate people to do the right >>>>>> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-) >>>>>> It's been dead for *years*, and as you say, isn't safe, anyway.. >>>>>> >>>>> >>>>> Yes, I have a plan for that, but I don't believe it will happens before >>>>> FreeBSD 12-RELEASE. >>>>> >>>> >>>> Please don't, at least for now. NIS is fast, simple, reliable, and works >>>> on first boot without additional software. I have passwords in >>>> Kerberos, so the usual cons doesn't apply. This is very valuable to me. >>>> >>>> It's not hurting anyone. What's the motivation behind removing it? >>> >>> >>> In all honesty, my comment was somewhat tongue-in-cheek. But from >>> a purely maintenance POV, at this point in time. I think the Yellow >>> Pages are better suited for the ports tree, than in $BASE. >>> >> >> It will be hard to wean people off of NIS as long as KGSSAPI is >> disabled in GENERIC. Does anybody know why it isn't enabled by >> default? > > > Because it's just a `kldload kgssapi` away. Put it in loader.conf or rc.conf > depending on your needs/preferences. Thanks Jan. I didn't realize that kgssapi was built as a module by default now. All of the very few NFSv4 guides I've found have described including it in the kernel as a requirement. https://code.google.com/archive/p/macnfsv4/wikis/FreeBSD8KerberizedNFSSetup.wiki http://daemon-notes.com/articles/network/unix-lan/nfs -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hoWbw1-BNFd8C0UDtxq8OP=A9oGtqto-18oXoLD_Zxyw>