Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime): > > > On 10/06/16 16:29, Peter Wemm wrote: >> On 6/9/16 6:49 PM, Matthew Seaman wrote: >>> On 09/06/2016 18:34, Craig Rodrigues wrote: >>>> There is still value to ypldap as it is now, and getting feedback from >>>> users (especially Active Directory) would be very useful. >>>> If someone could document a configuration which uses IPSEC or OpenSSH >>>> forwarding, that would be nice. >>>> >>>> In future, maybe someone in OpenBSD or FreeBSD will implement things >>>> like >>>> LDAP over SSL. >>> >>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ? >>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in >>> transit, and I find it works very well for using OpenLDAP as a central >>> account database. I believe it works with AD, but haven't tried that >>> myself. >>> >>> Cheers, >>> >>> Matthew >>> >>> >> >> We used nss-pam-ldapd quite successfully in the freebsd.org cluster >> during our transition away from YP/NIS, for what it's worth. > > Did you try the OpenLDAP nssov overlay? It replaces nslcd by > reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap > directly inside slapd. This allows slapd to cache or replicate the > data locally without resorting to the broken nscd. Hello, I was curious, so I made a patcheset which adds NSSOV config option to net/openldap24-server. Unfortunately I'm not getting results :( I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl – the same as defined for net/nss-pam-ldapd. Just for testing, will consider reverting that because slapd drops priviledges before creating the socket, so ldap needs write access to /var/run... Starting nslcd makes 'id ldapuser' return correct results. Stopping nslcd and starting slapd (with verified configuration – ldapsearch works as expected) just doesn't utilize slapd at all, according to the logs. Have you compiled the nss_ldap library from contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port? Thanks for hints, -harryReceived on Fri Aug 05 2016 - 17:22:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:07 UTC