Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

From: Marcelo Araujo <araujobsdport_at_gmail.com>
Date: Thu, 9 Jun 2016 17:55:58 +0800
Hey,

Thanks for the CFT Craig.

2016-06-09 14:41 GMT+08:00 Xin Li <delphij_at_delphij.net>:

>
>
> On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
> specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply.  I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with LDAP
> > and has a setup they can test this stuff out with, provide feedback, and
> > help
> > improve the documentation for FreeBSD?
>
> Looks like it would be a fun weekend project.  I've cc'ed a potential
> person who may be interested in this as well.
>
> But will this worth the effort? (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
> extends life for legacy applications that are still using NIS/YP, it
> doesn't seem to be something that we should recommend end user to use?)
>

I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.

As mentioned, NIS is 'plain text' not safe by its nature, however there are
still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.


>
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
>
> Cheers,
>
>
All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).

Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the setup
would be amazing to have.

Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.


Best,
-- 

-- 
Marcelo Araujo            (__)araujo_at_FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)
Received on Thu Jun 09 2016 - 07:55:59 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC