From owner-freebsd-current@freebsd.org  Fri Aug  5 19:22:13 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F2C1BB061B
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Fri,  5 Aug 2016 19:22:13 +0000 (UTC)
 (envelope-from freebsd@omnilan.de)
Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B96E116BD
 for <freebsd-current@freebsd.org>; Fri,  5 Aug 2016 19:22:12 +0000 (UTC)
 (envelope-from freebsd@omnilan.de)
Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net
 [IPv6:2a00:e10:2800::a135])
 by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id u75JM93C030131;
 Fri, 5 Aug 2016 21:22:09 +0200 (CEST)
 (envelope-from freebsd@omnilan.de)
Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net
 [IPv6:2001:a60:f0bb:1::3:1])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mh0.gentlemail.de (Postfix) with ESMTPSA id A831F691;
 Fri,  5 Aug 2016 21:22:08 +0200 (CEST)
Message-ID: <57A4E760.40209@omnilan.de>
Date: Fri, 05 Aug 2016 21:22:08 +0200
From: Harry Schmalzbauer <freebsd@omnilan.de>
Organization: OmniLAN
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE;
 rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Jan Bramkamp <crest@rlwinm.de>
CC: FreeBSD current <freebsd-current@freebsd.org>
Subject: Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active
 Directory
References: <CAG=rPVeiPvfBdnmieEHG_0Jp8ZxvTQr-sLdSkutWD5cYhdk9SA@mail.gmail.com>
 <7c39e5ac-3ed7-f19a-e175-d27af07eea47@delphij.net>
 <CAG=rPVfjzjh=Qb8Y+FsXgoLOA0UCf_mgJu32=wHUHjPjMFjvyA@mail.gmail.com>
 <b5d81132-63e6-6d53-c97d-5c709e748e2b@FreeBSD.org>
 <575ACEB2.2030307@wemm.org> <6f2f1234-1d12-7796-f0b5-9da5a44585db@rlwinm.de>
In-Reply-To: <6f2f1234-1d12-7796-f0b5-9da5a44585db@rlwinm.de>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7
 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]);
 Fri, 05 Aug 2016 21:22:09 +0200 (CEST)
X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ;
 Sender-helo: mh0.gentlemail.de; )
X-Mailman-Approved-At: Fri, 05 Aug 2016 20:14:54 +0000
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2016 19:22:13 -0000

 Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime):
>
>
> On 10/06/16 16:29, Peter Wemm wrote:
>> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>>> On 09/06/2016 18:34, Craig Rodrigues wrote:
>>>> There is still value to ypldap as it is now, and getting feedback from
>>>> users (especially Active Directory) would be very useful.
>>>> If someone could document a configuration which uses IPSEC or OpenSSH
>>>> forwarding, that would be nice.
>>>>
>>>> In future, maybe someone in OpenBSD or FreeBSD will implement things
>>>> like
>>>> LDAP over SSL.
>>>
>>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>>> transit, and I find it works very well for using OpenLDAP as a central
>>> account database. I believe it works with AD, but haven't tried that
>>> myself.
>>>
>>> Cheers,
>>>
>>> Matthew
>>>
>>>
>>
>> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
>> during our transition away from YP/NIS, for what it's worth.
>
> Did you try the OpenLDAP nssov overlay? It replaces nslcd by
> reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
> directly inside slapd. This allows slapd to cache or replicate the
> data locally without resorting to the broken nscd.

Hello,

I was curious, so I made a patcheset which adds NSSOV config option to
net/openldap24-server.

Unfortunately I'm not getting results :(

I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl –
the same as defined for net/nss-pam-ldapd.
Just for testing, will consider reverting that because slapd drops
priviledges before creating the socket, so ldap needs write access to
/var/run...

Starting nslcd makes 'id ldapuser' return correct results.
Stopping nslcd and starting slapd (with verified configuration –
ldapsearch works as expected) just doesn't utilize slapd at all,
according to the logs.

Have you compiled the nss_ldap library from
contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port?

Thanks for hints,

-harry