From owner-freebsd-current@freebsd.org  Fri Jun 10 14:29:09 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88775B70F49
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Fri, 10 Jun 2016 14:29:09 +0000 (UTC) (envelope-from peter@wemm.org)
Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp2.wemm.org", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 75BCB1F06
 for <freebsd-current@freebsd.org>; Fri, 10 Jun 2016 14:29:09 +0000 (UTC)
 (envelope-from peter@wemm.org)
Received: from Peters-MacBook-Pro.local (unknown [137.122.64.8])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: peter)
 by smtp2.wemm.org (Postfix) with ESMTPSA id 87AB85AF
 for <freebsd-current@freebsd.org>; Fri, 10 Jun 2016 07:29:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org;
 s=m20140428; t=1465568948;
 bh=zp/HW1tORLjQbv0fj8gQlE//kGjyeeIw/LfItD6IHlk=;
 h=Subject:To:References:From:Date:In-Reply-To;
 b=vd5RvsGzXwXQ8W/u05/U2O0XYQ/MH5NrjdxGg6ZD73UWYztoU+6xXSjmzoptwhQpS
 hgjDbz09j6v2mz9wwwbshGwKqqQcAtlOsiDp7Z7dt7P2NFCzY5f3lxSne8y+7YJQxH
 2pO0P3xVpaxpS8wNqlV9VWehnDrokqyerrg35r34=
Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active
 Directory
To: freebsd-current@freebsd.org
References: <CAG=rPVeiPvfBdnmieEHG_0Jp8ZxvTQr-sLdSkutWD5cYhdk9SA@mail.gmail.com>
 <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net>
 <CAG=rPVfjzjh=Qb8Y+FsXgoLOA0UCf_mgJu32=wHUHjPjMFjvyA@mail.gmail.com>
 <b5d81132-63e6-6d53-c97d-5c709e748e2b@FreeBSD.org>
From: Peter Wemm <peter@wemm.org>
Message-ID: <575ACEB2.2030307@wemm.org>
Date: Fri, 10 Jun 2016 10:29:06 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <b5d81132-63e6-6d53-c97d-5c709e748e2b@FreeBSD.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2016 14:29:09 -0000

On 6/9/16 6:49 PM, Matthew Seaman wrote:
> On 09/06/2016 18:34, Craig Rodrigues wrote:
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
>
> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database.  I believe it works with AD, but haven't tried that
> myself.
>
> 	Cheers,
>
> 	Matthew
>
>

We used nss-pam-ldapd quite successfully in the freebsd.org cluster during 
our transition away from YP/NIS, for what it's worth.

-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246