Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

From: Marcelo Araujo <araujobsdport_at_gmail.com>
Date: Thu, 16 Jun 2016 10:15:52 +0800
No worries Nikolai! If one day I will do it, will be on 12-RELEASE.

Br,

2016-06-15 20:03 GMT+08:00 Nikolai Lifanov <lifanov_at_mail.lifanov.com>:

> On 06/14/2016 21:05, Marcelo Araujo wrote:
> > 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists_at_bsdforge.com>:
> >
> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <
> araujobsdport_at_gmail.com>
> >> wrote
> >>
> >>> Hey,
> >>>
> >>> Thanks for the CFT Craig.
> >>>
> >>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij_at_delphij.net>:
> >>>
> >>>>
> >>>>
> >>>> On 6/8/16 23:10, Craig Rodrigues wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> >>>>> current.
> >>>>>
> >>>>> In latest current, it should be possible to put in /etc/rc.conf:
> >>>>>
> >>>>> nis_ypldap_enable="YES"
> >>>>> to activate the ypldap daemon.
> >>>>>
> >>>>> When set up properly, it should be possible to log into FreeBSD, and
> >> have
> >>>>> the backend password database come from an LDAP database such
> >>>>> as OpenLDAP
> >>>>>
> >>>>> There is some documentation for setting this up, but it is OpenBSD
> >>>> specific:
> >>>>>
> >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> >>>>> http://puffysecurity.com/wiki/ypldap.html#2
> >>>>>
> >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> >>>>> information
> >>>>> does not apply.  I figure that openldap from ports should work fine.
> >>>>>
> >>>>> I was wondering if there is someone out there familiar enough with
> >> LDAP
> >>>>> and has a setup they can test this stuff out with, provide feedback,
> >> and
> >>>>> help
> >>>>> improve the documentation for FreeBSD?
> >>>>
> >>>> Looks like it would be a fun weekend project.  I've cc'ed a potential
> >>>> person who may be interested in this as well.
> >>>>
> >>>> But will this worth the effort? (I think the current implementation
> >>>> would do everything with plaintext protocol over wire, so while it
> >>>> extends life for legacy applications that are still using NIS/YP, it
> >>>> doesn't seem to be something that we should recommend end user to
> use?)
> >>>>
> >>>
> >>> I can see two good point to use ypldap that would be basically for
> users
> >>> that needs to migrate from NIS to LDAP or need to make some integration
> >>> between legacy(NIS) and LDAP during a transition period to LDAP.
> >>>
> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there
> >> are
> >>> still lots of people out there using NIS, and ypldap(8) is a good tool
> to
> >>> help these people migrate to a more safe tool like LDAP.
> >>>
> >>>
> >>>>
> >>>>> I would also be interested in hearing from someone who can see if
> >>>>> ypldap can work against a Microsoft Active Directory setup?
> >>>>
> >>>> Cheers,
> >>>>
> >>>>
> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
> >> setup
> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a
> good
> >>> start to anybody that wants to start to work with ypldap(8).
> >>>
> >>> Would be nice hear from other users how was their experience using
> ypldap
> >>> with MS Active Directory and perhaps some HOWTO how they made all the
> >> setup
> >>> would be amazing to have.
> >>>
> >>> Also, would be useful to know who are still using NIS and what kind of
> >>> setup(user case), maybe even the reason why they are still using it.
> >>
> >> Honestly, I think the best way to motivate people to do the right
> thing(tm)
> >> Would be to remove Yellow Pages from the tree, entirely. :-)
> >> It's been dead for *years*, and as you say, isn't safe, anyway..
> >>
> >
> > Yes, I have a plan for that, but I don't believe it will happens before
> > FreeBSD 12-RELEASE.
> >
>
> Please don't, at least for now. NIS is fast, simple, reliable, and works
> on first boot without additional software. I have passwords in
> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>
> It's not hurting anyone. What's the motivation behind removing it?
>
> >
> >>
> >> --Chris
> >>>
> >>>
> >>> Best,
> >>> --
> >>>
> >>> --
> >>> Marcelo Araujo            (__)araujo_at_FreeBSD.org
> >>> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
> >>> Power To Server.         .\. /_)
> >>> _______________________________________________
> >>> freebsd-current_at_freebsd.org mailing list
> >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> >>> To unsubscribe, send any mail to "
> >> freebsd-current-unsubscribe_at_freebsd.org"
> >>
> >>
> >> _______________________________________________
> >> freebsd-current_at_freebsd.org mailing list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> >> To unsubscribe, send any mail to "
> freebsd-current-unsubscribe_at_freebsd.org"
> >>
> >
> >
> >
>
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>



-- 

-- 
Marcelo Araujo            (__)araujo_at_FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)
Received on Thu Jun 16 2016 - 00:15:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC