[Bug 281013] ypldap.conf does not permit an alternate port number for the LDAP server

Fri, 23 Aug 2024 10:49:01 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281013

            Bug ID: 281013
           Summary: ypldap.conf does not permit an alternate port number
                    for the LDAP server
           Product: Base System
           Version: 14.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 253041
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=253041&action=edit
Patch to /usr/src/usr.sbin/ypldap, against git commit
deb948cd8dc2efb341ce96e1b7a56c9fbc662ba1

In ypldap.conf, the LDAP server is specified by a line

    directory "some.host" {
        # directives
    }

This does not allow one to specify an LDAP server running on a different port
(for example a test server).  Also, ypldap will produce BSD-style passwd lines
which (see passwd(5)) includes class, change and expire fields, which some
clients (eg Linux clients) don't expect.

I attach a patch which addresses both:

  * It adds an optional 'port <NNN>' to this LDAP server specification.
  * It adds a clause 'attribute <attname> omit' to omit certain attributes from
the constructed responses.

Notes:

  * The original grammar in parse.y includes an optional 'port "<NNN>"'
specification, giving the port number within a string, but neither implementing
nor documenting this.  I've implemented this as above, but switched to a number
rather than a string.

  * The current OpenBSD ypldap.conf [1] includes a similar optional port
specification, as well as a 'tls' flag.

  * The current OpenBSD implementation seems to be ahead of the FreeBSD one.

This patch works for me in testing, but I have *not* deployed it to production,
since in the course of testing, I encountered the behaviour I have logged as
bug #281012.

My motivation for this was to ease the transition of some machines from NIS to
LDAP, by using ypldap as an intermediate step.  I'm probably now going to find
a Plan B; I therefore don't expect to be developing this further, but for what
it's worth, I offer it here.

[1] https://man.openbsd.org/ypldap.conf

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to