Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

From: Marcelo Araujo <araujobsdport_at_gmail.com>
Date: Thu, 16 Jun 2016 10:54:04 +0800
I hear too!!! And that is why we are having this talk here around ypldap.

Best,

2016-06-16 10:50 GMT+08:00 Outback Dingo <outbackdingo_at_gmail.com>:

>
>
> On Wed, Jun 15, 2016 at 10:15 PM, Marcelo Araujo <araujobsdport_at_gmail.com>
> wrote:
>
>> No worries Nikolai! If one day I will do it, will be on 12-RELEASE.
>>
>> Br,
>>
>> 2016-06-15 20:03 GMT+08:00 Nikolai Lifanov <lifanov_at_mail.lifanov.com>:
>>
>> > On 06/14/2016 21:05, Marcelo Araujo wrote:
>> > > 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists_at_bsdforge.com>:
>> > >
>> > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <
>> > araujobsdport_at_gmail.com>
>> > >> wrote
>> > >>
>> > >>> Hey,
>> > >>>
>> > >>> Thanks for the CFT Craig.
>> > >>>
>> > >>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij_at_delphij.net>:
>> > >>>
>> > >>>>
>> > >>>>
>> > >>>> On 6/8/16 23:10, Craig Rodrigues wrote:
>> > >>>>> Hi,
>> > >>>>>
>> > >>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to
>> FreeBSD
>> > >>>>> current.
>> > >>>>>
>> > >>>>> In latest current, it should be possible to put in /etc/rc.conf:
>> > >>>>>
>> > >>>>> nis_ypldap_enable="YES"
>> > >>>>> to activate the ypldap daemon.
>> > >>>>>
>> > >>>>> When set up properly, it should be possible to log into FreeBSD,
>> and
>> > >> have
>> > >>>>> the backend password database come from an LDAP database such
>> > >>>>> as OpenLDAP
>> > >>>>>
>> > >>>>> There is some documentation for setting this up, but it is OpenBSD
>> > >>>> specific:
>> > >>>>>
>> > >>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
>> > >>>>> http://puffysecurity.com/wiki/ypldap.html#2
>> > >>>>>
>> > >>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so
>> that
>> > >>>>> information
>> > >>>>> does not apply.  I figure that openldap from ports should work
>> fine.
>> > >>>>>
>> > >>>>> I was wondering if there is someone out there familiar enough with
>> > >> LDAP
>> > >>>>> and has a setup they can test this stuff out with, provide
>> feedback,
>> > >> and
>> > >>>>> help
>> > >>>>> improve the documentation for FreeBSD?
>> > >>>>
>> > >>>> Looks like it would be a fun weekend project.  I've cc'ed a
>> potential
>> > >>>> person who may be interested in this as well.
>> > >>>>
>> > >>>> But will this worth the effort? (I think the current implementation
>> > >>>> would do everything with plaintext protocol over wire, so while it
>> > >>>> extends life for legacy applications that are still using NIS/YP,
>> it
>> > >>>> doesn't seem to be something that we should recommend end user to
>> > use?)
>> > >>>>
>> > >>>
>> > >>> I can see two good point to use ypldap that would be basically for
>> > users
>> > >>> that needs to migrate from NIS to LDAP or need to make some
>> integration
>> > >>> between legacy(NIS) and LDAP during a transition period to LDAP.
>> > >>>
>> > >>> As mentioned, NIS is 'plain text' not safe by its nature, however
>> there
>> > >> are
>> > >>> still lots of people out there using NIS, and ypldap(8) is a good
>> tool
>> > to
>> > >>> help these people migrate to a more safe tool like LDAP.
>> > >>>
>> > >>>
>> > >>>>
>> > >>>>> I would also be interested in hearing from someone who can see if
>> > >>>>> ypldap can work against a Microsoft Active Directory setup?
>> > >>>>
>> > >>>> Cheers,
>> > >>>>
>> > >>>>
>> > >>> All my tests were using OpenLDAP, I used the OpenBSD documentation
>> to
>> > >> setup
>> > >>> everything, and the file share/examples/ypldap/ypldap.conf can be a
>> > good
>> > >>> start to anybody that wants to start to work with ypldap(8).
>> > >>>
>> > >>> Would be nice hear from other users how was their experience using
>> > ypldap
>> > >>> with MS Active Directory and perhaps some HOWTO how they made all
>> the
>> > >> setup
>> > >>> would be amazing to have.
>> > >>>
>> > >>> Also, would be useful to know who are still using NIS and what kind
>> of
>> > >>> setup(user case), maybe even the reason why they are still using it.
>> > >>
>> > >> Honestly, I think the best way to motivate people to do the right
>> > thing(tm)
>> > >> Would be to remove Yellow Pages from the tree, entirely. :-)
>> > >> It's been dead for *years*, and as you say, isn't safe, anyway..
>> > >>
>> > >
>> > > Yes, I have a plan for that, but I don't believe it will happens
>> before
>> > > FreeBSD 12-RELEASE.
>> > >
>> >
>> > Please don't, at least for now. NIS is fast, simple, reliable, and works
>> > on first boot without additional software. I have passwords in
>> > Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>> >
>> > It's not hurting anyone. What's the motivation behind removing it?
>>
>
>
> Removing NIS is a BAD idea, there are still plenty of people that use it,
> and plenty of businesses rely on it, I still hear people asking for it
>
>
>
>> >
>> > >
>> > >>
>> > >> --Chris
>> > >>>
>> > >>>
>> > >>> Best,
>> > >>> --
>> > >>>
>> > >>> --
>> > >>> Marcelo Araujo            (__)araujo_at_FreeBSD.org
>> > >>> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
>> > >>> Power To Server.         .\. /_)
>> > >>> _______________________________________________
>> > >>> freebsd-current_at_freebsd.org mailing list
>> > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> > >>> To unsubscribe, send any mail to "
>> > >> freebsd-current-unsubscribe_at_freebsd.org"
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> freebsd-current_at_freebsd.org mailing list
>> > >> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> > >> To unsubscribe, send any mail to "
>> > freebsd-current-unsubscribe_at_freebsd.org"
>> > >>
>> > >
>> > >
>> > >
>> >
>> > _______________________________________________
>> > freebsd-current_at_freebsd.org mailing list
>> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> > To unsubscribe, send any mail to "
>> freebsd-current-unsubscribe_at_freebsd.org"
>> >
>>
>>
>>
>> --
>>
>> --
>> Marcelo Araujo            (__)araujo_at_FreeBSD.org
>> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
>> Power To Server.         .\. /_)
>> _______________________________________________
>> freebsd-current_at_freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org
>> "
>>
>
>


-- 

-- 
Marcelo Araujo            (__)araujo_at_FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)
Received on Thu Jun 16 2016 - 00:54:06 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC