Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

From: Jan Bramkamp <crest_at_rlwinm.de>
Date: Tue, 21 Jun 2016 17:55:11 +0200
On 18/06/16 17:15, Alan Somers wrote:
> On Thu, Jun 16, 2016 at 7:20 AM, Chris H <bsd-lists_at_bsdforge.com> wrote:
>> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov <lifanov_at_mail.lifanov.com>
>> wrote
>>
>>> On 06/14/2016 21:05, Marcelo Araujo wrote:
>>>> 2016-06-15 8:17 GMT+08:00 Chris H <bsd-lists_at_bsdforge.com>:
>>>>
>>>>> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujobsdport_at_gmail.com>
>>>>> wrote
>>>>>
>>>>>> Hey,
>>>>>>
>>>>>> Thanks for the CFT Craig.
>>>>>>
>>>>>> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij_at_delphij.net>:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 6/8/16 23:10, Craig Rodrigues wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
>>>>>>>> current.
>>>>>>>>
>>>>>>>> In latest current, it should be possible to put in /etc/rc.conf:
>>>>>>>>
>>>>>>>> nis_ypldap_enable="YES"
>>>>>>>> to activate the ypldap daemon.
>>>>>>>>
>>>>>>>> When set up properly, it should be possible to log into FreeBSD, and
>>>>> have
>>>>>>>> the backend password database come from an LDAP database such
>>>>>>>> as OpenLDAP
>>>>>>>>
>>>>>>>> There is some documentation for setting this up, but it is OpenBSD
>>>>>>> specific:
>>>>>>>>
>>>>>>>> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
>>>>>>>> http://puffysecurity.com/wiki/ypldap.html#2
>>>>>>>>
>>>>>>>> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
>>>>>>>> information
>>>>>>>> does not apply.  I figure that openldap from ports should work fine.
>>>>>>>>
>>>>>>>> I was wondering if there is someone out there familiar enough with
>>>>> LDAP
>>>>>>>> and has a setup they can test this stuff out with, provide feedback,
>>>>> and
>>>>>>>> help
>>>>>>>> improve the documentation for FreeBSD?
>>>>>>>
>>>>>>> Looks like it would be a fun weekend project.  I've cc'ed a potential
>>>>>>> person who may be interested in this as well.
>>>>>>>
>>>>>>> But will this worth the effort? (I think the current implementation
>>>>>>> would do everything with plaintext protocol over wire, so while it
>>>>>>> extends life for legacy applications that are still using NIS/YP, it
>>>>>>> doesn't seem to be something that we should recommend end user to use?)
>>>>>>>
>>>>>>
>>>>>> I can see two good point to use ypldap that would be basically for users
>>>>>> that needs to migrate from NIS to LDAP or need to make some integration
>>>>>> between legacy(NIS) and LDAP during a transition period to LDAP.
>>>>>>
>>>>>> As mentioned, NIS is 'plain text' not safe by its nature, however there
>>>>> are
>>>>>> still lots of people out there using NIS, and ypldap(8) is a good tool to
>>>>>> help these people migrate to a more safe tool like LDAP.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>> I would also be interested in hearing from someone who can see if
>>>>>>>> ypldap can work against a Microsoft Active Directory setup?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>>
>>>>>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
>>>>> setup
>>>>>> everything, and the file share/examples/ypldap/ypldap.conf can be a good
>>>>>> start to anybody that wants to start to work with ypldap(8).
>>>>>>
>>>>>> Would be nice hear from other users how was their experience using ypldap
>>>>>> with MS Active Directory and perhaps some HOWTO how they made all the
>>>>> setup
>>>>>> would be amazing to have.
>>>>>>
>>>>>> Also, would be useful to know who are still using NIS and what kind of
>>>>>> setup(user case), maybe even the reason why they are still using it.
>>>>>
>>>>> Honestly, I think the best way to motivate people to do the right
>>>>> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
>>>>> It's been dead for *years*, and as you say, isn't safe, anyway..
>>>>>
>>>>
>>>> Yes, I have a plan for that, but I don't believe it will happens before
>>>> FreeBSD 12-RELEASE.
>>>>
>>>
>>> Please don't, at least for now. NIS is fast, simple, reliable, and works
>>> on first boot without additional software. I have passwords in
>>> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>>>
>>> It's not hurting anyone. What's the motivation behind removing it?
>>
>> In all honesty, my comment was somewhat tongue-in-cheek. But from
>> a purely maintenance POV, at this point in time. I think the Yellow
>> Pages are better suited for the ports tree, than in $BASE.
>>
>
> It will be hard to wean people off of NIS as long as KGSSAPI is
> disabled in GENERIC.  Does anybody know why it isn't enabled by
> default?

Because it's just a `kldload kgssapi` away. Put it in loader.conf or 
rc.conf depending on your needs/preferences.
Received on Tue Jun 21 2016 - 13:55:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC