On 18/06/16 17:15, Alan Somers wrote: > On Thu, Jun 16, 2016 at 7:20 AM, Chris H <bsd-lists_at_bsdforge.com> wrote: >> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov <lifanov_at_mail.lifanov.com> >> wrote >> >>> On 06/14/2016 21:05, Marcelo Araujo wrote: >>>> 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists_at_bsdforge.com>: >>>> >>>>> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujobsdport_at_gmail.com> >>>>> wrote >>>>> >>>>>> Hey, >>>>>> >>>>>> Thanks for the CFT Craig. >>>>>> >>>>>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij_at_delphij.net>: >>>>>> >>>>>>> >>>>>>> >>>>>>> On 6/8/16 23:10, Craig Rodrigues wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD >>>>>>>> current. >>>>>>>> >>>>>>>> In latest current, it should be possible to put in /etc/rc.conf: >>>>>>>> >>>>>>>> nis_ypldap_enable="YES" >>>>>>>> to activate the ypldap daemon. >>>>>>>> >>>>>>>> When set up properly, it should be possible to log into FreeBSD, and >>>>> have >>>>>>>> the backend password database come from an LDAP database such >>>>>>>> as OpenLDAP >>>>>>>> >>>>>>>> There is some documentation for setting this up, but it is OpenBSD >>>>>>> specific: >>>>>>>> >>>>>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client >>>>>>>> http://puffysecurity.com/wiki/ypldap.html#2 >>>>>>>> >>>>>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that >>>>>>>> information >>>>>>>> does not apply. I figure that openldap from ports should work fine. >>>>>>>> >>>>>>>> I was wondering if there is someone out there familiar enough with >>>>> LDAP >>>>>>>> and has a setup they can test this stuff out with, provide feedback, >>>>> and >>>>>>>> help >>>>>>>> improve the documentation for FreeBSD? >>>>>>> >>>>>>> Looks like it would be a fun weekend project. I've cc'ed a potential >>>>>>> person who may be interested in this as well. >>>>>>> >>>>>>> But will this worth the effort? (I think the current implementation >>>>>>> would do everything with plaintext protocol over wire, so while it >>>>>>> extends life for legacy applications that are still using NIS/YP, it >>>>>>> doesn't seem to be something that we should recommend end user to use?) >>>>>>> >>>>>> >>>>>> I can see two good point to use ypldap that would be basically for users >>>>>> that needs to migrate from NIS to LDAP or need to make some integration >>>>>> between legacy(NIS) and LDAP during a transition period to LDAP. >>>>>> >>>>>> As mentioned, NIS is 'plain text' not safe by its nature, however there >>>>> are >>>>>> still lots of people out there using NIS, and ypldap(8) is a good tool to >>>>>> help these people migrate to a more safe tool like LDAP. >>>>>> >>>>>> >>>>>>> >>>>>>>> I would also be interested in hearing from someone who can see if >>>>>>>> ypldap can work against a Microsoft Active Directory setup? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> >>>>>> All my tests were using OpenLDAP, I used the OpenBSD documentation to >>>>> setup >>>>>> everything, and the file share/examples/ypldap/ypldap.conf can be a good >>>>>> start to anybody that wants to start to work with ypldap(8). >>>>>> >>>>>> Would be nice hear from other users how was their experience using ypldap >>>>>> with MS Active Directory and perhaps some HOWTO how they made all the >>>>> setup >>>>>> would be amazing to have. >>>>>> >>>>>> Also, would be useful to know who are still using NIS and what kind of >>>>>> setup(user case), maybe even the reason why they are still using it. >>>>> >>>>> Honestly, I think the best way to motivate people to do the right >>>>> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-) >>>>> It's been dead for *years*, and as you say, isn't safe, anyway.. >>>>> >>>> >>>> Yes, I have a plan for that, but I don't believe it will happens before >>>> FreeBSD 12-RELEASE. >>>> >>> >>> Please don't, at least for now. NIS is fast, simple, reliable, and works >>> on first boot without additional software. I have passwords in >>> Kerberos, so the usual cons doesn't apply. This is very valuable to me. >>> >>> It's not hurting anyone. What's the motivation behind removing it? >> >> In all honesty, my comment was somewhat tongue-in-cheek. But from >> a purely maintenance POV, at this point in time. I think the Yellow >> Pages are better suited for the ports tree, than in $BASE. >> > > It will be hard to wean people off of NIS as long as KGSSAPI is > disabled in GENERIC. Does anybody know why it isn't enabled by > default? Because it's just a `kldload kgssapi` away. Put it in loader.conf or rc.conf depending on your needs/preferences.Received on Tue Jun 21 2016 - 13:55:22 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC