From owner-freebsd-current@freebsd.org Wed Jun 15 12:04:03 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4E55A44D74 for ; Wed, 15 Jun 2016 12:04:03 +0000 (UTC) (envelope-from lifanov@mail.lifanov.com) Received: from mail.lifanov.com (mail.lifanov.com [206.125.175.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 92E6412DA for ; Wed, 15 Jun 2016 12:04:03 +0000 (UTC) (envelope-from lifanov@mail.lifanov.com) Received: from [127.0.0.1] (unknown [107.15.95.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.lifanov.com (Postfix) with ESMTPSA id 4B94B239A89 for ; Wed, 15 Jun 2016 08:03:57 -0400 (EDT) Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory To: freebsd-current@freebsd.org References: <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net> <5fc80d8ee559336a657514b3f2ec2a33@ultimatedns.net> From: Nikolai Lifanov Message-ID: Date: Wed, 15 Jun 2016 08:03:55 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 12:04:03 -0000 On 06/14/2016 21:05, Marcelo Araujo wrote: > 2016-06-15 8:17 GMT+08:00 Chris H : > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo >> wrote >> >>> Hey, >>> >>> Thanks for the CFT Craig. >>> >>> 2016-06-09 14:41 GMT+08:00 Xin Li : >>> >>>> >>>> >>>> On 6/8/16 23:10, Craig Rodrigues wrote: >>>>> Hi, >>>>> >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD >>>>> current. >>>>> >>>>> In latest current, it should be possible to put in /etc/rc.conf: >>>>> >>>>> nis_ypldap_enable="YES" >>>>> to activate the ypldap daemon. >>>>> >>>>> When set up properly, it should be possible to log into FreeBSD, and >> have >>>>> the backend password database come from an LDAP database such >>>>> as OpenLDAP >>>>> >>>>> There is some documentation for setting this up, but it is OpenBSD >>>> specific: >>>>> >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client >>>>> http://puffysecurity.com/wiki/ypldap.html#2 >>>>> >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that >>>>> information >>>>> does not apply. I figure that openldap from ports should work fine. >>>>> >>>>> I was wondering if there is someone out there familiar enough with >> LDAP >>>>> and has a setup they can test this stuff out with, provide feedback, >> and >>>>> help >>>>> improve the documentation for FreeBSD? >>>> >>>> Looks like it would be a fun weekend project. I've cc'ed a potential >>>> person who may be interested in this as well. >>>> >>>> But will this worth the effort? (I think the current implementation >>>> would do everything with plaintext protocol over wire, so while it >>>> extends life for legacy applications that are still using NIS/YP, it >>>> doesn't seem to be something that we should recommend end user to use?) >>>> >>> >>> I can see two good point to use ypldap that would be basically for users >>> that needs to migrate from NIS to LDAP or need to make some integration >>> between legacy(NIS) and LDAP during a transition period to LDAP. >>> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there >> are >>> still lots of people out there using NIS, and ypldap(8) is a good tool to >>> help these people migrate to a more safe tool like LDAP. >>> >>> >>>> >>>>> I would also be interested in hearing from someone who can see if >>>>> ypldap can work against a Microsoft Active Directory setup? >>>> >>>> Cheers, >>>> >>>> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to >> setup >>> everything, and the file share/examples/ypldap/ypldap.conf can be a good >>> start to anybody that wants to start to work with ypldap(8). >>> >>> Would be nice hear from other users how was their experience using ypldap >>> with MS Active Directory and perhaps some HOWTO how they made all the >> setup >>> would be amazing to have. >>> >>> Also, would be useful to know who are still using NIS and what kind of >>> setup(user case), maybe even the reason why they are still using it. >> >> Honestly, I think the best way to motivate people to do the right thing(tm) >> Would be to remove Yellow Pages from the tree, entirely. :-) >> It's been dead for *years*, and as you say, isn't safe, anyway.. >> > > Yes, I have a plan for that, but I don't believe it will happens before > FreeBSD 12-RELEASE. > Please don't, at least for now. NIS is fast, simple, reliable, and works on first boot without additional software. I have passwords in Kerberos, so the usual cons doesn't apply. This is very valuable to me. It's not hurting anyone. What's the motivation behind removing it? > >> >> --Chris >>> >>> >>> Best, >>> -- >>> >>> -- >>> Marcelo Araujo (__)araujo@FreeBSD.org >>> \\\'',)http://www.FreeBSD.org \/ \ ^ >>> Power To Server. .\. /_) >>> _______________________________________________ >>> freebsd-current@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to " >> freebsd-current-unsubscribe@freebsd.org" >> >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> > > >