[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Chris H bsd-lists at bsdforge.com
Wed Jun 15 00:17:19 UTC 2016 

On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujobsdport at gmail.com>
wrote

> Hey,
> 
> Thanks for the CFT Craig.
> 
> 2016-06-09 14:41 GMT+08:00 Xin Li <delphij at delphij.net>:
> 
> >
> >
> > On 6/8/16 23:10, Craig Rodrigues wrote:
> > > Hi,
> > >
> > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > > current.
> > >
> > > In latest current, it should be possible to put in /etc/rc.conf:
> > >
> > > nis_ypldap_enable="YES"
> > > to activate the ypldap daemon.
> > >
> > > When set up properly, it should be possible to log into FreeBSD, and have
> > > the backend password database come from an LDAP database such
> > > as OpenLDAP
> > >
> > > There is some documentation for setting this up, but it is OpenBSD
> > specific:
> > >
> > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > > http://puffysecurity.com/wiki/ypldap.html#2
> > >
> > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > > information
> > > does not apply.  I figure that openldap from ports should work fine.
> > >
> > > I was wondering if there is someone out there familiar enough with LDAP
> > > and has a setup they can test this stuff out with, provide feedback, and
> > > help
> > > improve the documentation for FreeBSD?
> >
> > Looks like it would be a fun weekend project.  I've cc'ed a potential
> > person who may be interested in this as well.
> >
> > But will this worth the effort? (I think the current implementation
> > would do everything with plaintext protocol over wire, so while it
> > extends life for legacy applications that are still using NIS/YP, it
> > doesn't seem to be something that we should recommend end user to use?)
> >
> 
> I can see two good point to use ypldap that would be basically for users
> that needs to migrate from NIS to LDAP or need to make some integration
> between legacy(NIS) and LDAP during a transition period to LDAP.
> 
> As mentioned, NIS is 'plain text' not safe by its nature, however there are
> still lots of people out there using NIS, and ypldap(8) is a good tool to
> help these people migrate to a more safe tool like LDAP.
> 
> 
> >
> > > I would also be interested in hearing from someone who can see if
> > > ypldap can work against a Microsoft Active Directory setup?
> >
> > Cheers,
> >
> >
> All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
> everything, and the file share/examples/ypldap/ypldap.conf can be a good
> start to anybody that wants to start to work with ypldap(8).
> 
> Would be nice hear from other users how was their experience using ypldap
> with MS Active Directory and perhaps some HOWTO how they made all the setup
> would be amazing to have.
> 
> Also, would be useful to know who are still using NIS and what kind of
> setup(user case), maybe even the reason why they are still using it.

Honestly, I think the best way to motivate people to do the right thing(tm)
Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..

--Chris
> 
> 
> Best,
> -- 
> 
> -- 
> Marcelo Araujo            (__)araujo at FreeBSD.org
> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
> Power To Server.         .\. /_)
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"

More information about the freebsd-current mailing list