subject:"\[CFT\] ypldap testing against OpenLDAP and Microsoft Active Directory"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-08-05 Thread Harry Schmalzbauer

 Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime):
>
>
> On 10/06/16 16:29, Peter Wemm wrote:
>> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>>> On 09/06/2016 18:34, Craig Rodrigues wrote:
 There is still value to ypldap as it is now, and getting feedback from
 users (especially Active Directory) would be very useful.
 If someone could document a configuration which uses IPSEC or OpenSSH
 forwarding, that would be nice.

 In future, maybe someone in OpenBSD or FreeBSD will implement things
 like
 LDAP over SSL.
>>>
>>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>>> transit, and I find it works very well for using OpenLDAP as a central
>>> account database. I believe it works with AD, but haven't tried that
>>> myself.
>>>
>>> Cheers,
>>>
>>> Matthew
>>>
>>>
>>
>> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
>> during our transition away from YP/NIS, for what it's worth.
>
> Did you try the OpenLDAP nssov overlay? It replaces nslcd by
> reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
> directly inside slapd. This allows slapd to cache or replicate the
> data locally without resorting to the broken nscd.

Hello,

I was curious, so I made a patcheset which adds NSSOV config option to
net/openldap24-server.

Unfortunately I'm not getting results :(

I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl –
the same as defined for net/nss-pam-ldapd.
Just for testing, will consider reverting that because slapd drops
priviledges before creating the socket, so ldap needs write access to
/var/run...

Starting nslcd makes 'id ldapuser' return correct results.
Stopping nslcd and starting slapd (with verified configuration –
ldapsearch works as expected) just doesn't utilize slapd at all,
according to the logs.

Have you compiled the nss_ldap library from
contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port?

Thanks for hints,

-harry

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-21 Thread Alan Somers

On Tue, Jun 21, 2016 at 9:55 AM, Jan Bramkamp  wrote:
> On 18/06/16 17:15, Alan Somers wrote:
>>
>> On Thu, Jun 16, 2016 at 7:20 AM, Chris H  wrote:
>>>
>>> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov
>>> 
>>> wrote
>>>
 On 06/14/2016 21:05, Marcelo Araujo wrote:
>
> 2016-06-15 8:17 GMT+08:00 Chris H :
>
>> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo
>> 
>> wrote
>>
>>> Hey,
>>>
>>> Thanks for the CFT Craig.
>>>
>>> 2016-06-09 14:41 GMT+08:00 Xin Li :
>>>


 On 6/8/16 23:10, Craig Rodrigues wrote:
>
> Hi,
>
> I have worked with Marcelo Araujo to port OpenBSD's ypldap to
> FreeBSD
> current.
>
> In latest current, it should be possible to put in /etc/rc.conf:
>
> nis_ypldap_enable="YES"
> to activate the ypldap daemon.
>
> When set up properly, it should be possible to log into FreeBSD,
> and
>>
>> have
>
> the backend password database come from an LDAP database such
> as OpenLDAP
>
> There is some documentation for setting this up, but it is OpenBSD

 specific:
>
>
> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> http://puffysecurity.com/wiki/ypldap.html#2
>
> I did not bother porting the OpenBSD LDAP server to FreeBSD, so
> that
> information
> does not apply.  I figure that openldap from ports should work
> fine.
>
> I was wondering if there is someone out there familiar enough with
>>
>> LDAP
>
> and has a setup they can test this stuff out with, provide
> feedback,
>>
>> and
>
> help
> improve the documentation for FreeBSD?


 Looks like it would be a fun weekend project.  I've cc'ed a
 potential
 person who may be interested in this as well.

 But will this worth the effort? (I think the current implementation
 would do everything with plaintext protocol over wire, so while it
 extends life for legacy applications that are still using NIS/YP, it
 doesn't seem to be something that we should recommend end user to
 use?)

>>>
>>> I can see two good point to use ypldap that would be basically for
>>> users
>>> that needs to migrate from NIS to LDAP or need to make some
>>> integration
>>> between legacy(NIS) and LDAP during a transition period to LDAP.
>>>
>>> As mentioned, NIS is 'plain text' not safe by its nature, however
>>> there
>>
>> are
>>>
>>> still lots of people out there using NIS, and ypldap(8) is a good
>>> tool to
>>> help these people migrate to a more safe tool like LDAP.
>>>
>>>

> I would also be interested in hearing from someone who can see if
> ypldap can work against a Microsoft Active Directory setup?


 Cheers,


>>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
>>
>> setup
>>>
>>> everything, and the file share/examples/ypldap/ypldap.conf can be a
>>> good
>>> start to anybody that wants to start to work with ypldap(8).
>>>
>>> Would be nice hear from other users how was their experience using
>>> ypldap
>>> with MS Active Directory and perhaps some HOWTO how they made all the
>>
>> setup
>>>
>>> would be amazing to have.
>>>
>>> Also, would be useful to know who are still using NIS and what kind
>>> of
>>> setup(user case), maybe even the reason why they are still using it.
>>
>>
>> Honestly, I think the best way to motivate people to do the right
>> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
>> It's been dead for *years*, and as you say, isn't safe, anyway..
>>
>
> Yes, I have a plan for that, but I don't believe it will happens before
> FreeBSD 12-RELEASE.
>

 Please don't, at least for now. NIS is fast, simple, reliable, and works
 on first boot without additional software. I have passwords in
 Kerberos, so the usual cons doesn't apply. This is very valuable to me.

 It's not hurting anyone. What's the motivation behind removing it?
>>>
>>>
>>> In all honesty, my comment was somewhat tongue-in-cheek. But from
>>> a purely maintenance POV, at this point in time. I think the Yellow
>>> Pages are better suited for the ports tree, than in $BASE.
>>>
>>
>> It will be hard to wean people off of NIS as long as KGSSAPI is
>> disabled in GENERIC.  Does anybody know why it isn't enabled by
>> default?
>
>
> Because it's just a `kldload kgssapi` away. Put it in loader.conf or rc.conf
> depending on your needs/preferences.

Thanks Jan.  I didn

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-21 Thread Jan Bramkamp


On 18/06/16 17:15, Alan Somers wrote:

On Thu, Jun 16, 2016 at 7:20 AM, Chris H  wrote:

On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov 
wrote


On 06/14/2016 21:05, Marcelo Araujo wrote:

2016-06-15 8:17 GMT+08:00 Chris H :


On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
wrote


Hey,

Thanks for the CFT Craig.

2016-06-09 14:41 GMT+08:00 Xin Li :




On 6/8/16 23:10, Craig Rodrigues wrote:

Hi,

I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
current.

In latest current, it should be possible to put in /etc/rc.conf:

nis_ypldap_enable="YES"
to activate the ypldap daemon.

When set up properly, it should be possible to log into FreeBSD, and

have

the backend password database come from an LDAP database such
as OpenLDAP

There is some documentation for setting this up, but it is OpenBSD

specific:


http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
http://puffysecurity.com/wiki/ypldap.html#2

I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
information
does not apply.  I figure that openldap from ports should work fine.

I was wondering if there is someone out there familiar enough with

LDAP

and has a setup they can test this stuff out with, provide feedback,

and

help
improve the documentation for FreeBSD?


Looks like it would be a fun weekend project.  I've cc'ed a potential
person who may be interested in this as well.

But will this worth the effort? (I think the current implementation
would do everything with plaintext protocol over wire, so while it
extends life for legacy applications that are still using NIS/YP, it
doesn't seem to be something that we should recommend end user to use?)



I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.

As mentioned, NIS is 'plain text' not safe by its nature, however there

are

still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.





I would also be interested in hearing from someone who can see if
ypldap can work against a Microsoft Active Directory setup?


Cheers,



All my tests were using OpenLDAP, I used the OpenBSD documentation to

setup

everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).

Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the

setup

would be amazing to have.

Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.


Honestly, I think the best way to motivate people to do the right
thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..



Yes, I have a plan for that, but I don't believe it will happens before
FreeBSD 12-RELEASE.



Please don't, at least for now. NIS is fast, simple, reliable, and works
on first boot without additional software. I have passwords in
Kerberos, so the usual cons doesn't apply. This is very valuable to me.

It's not hurting anyone. What's the motivation behind removing it?


In all honesty, my comment was somewhat tongue-in-cheek. But from
a purely maintenance POV, at this point in time. I think the Yellow
Pages are better suited for the ports tree, than in $BASE.



It will be hard to wean people off of NIS as long as KGSSAPI is
disabled in GENERIC.  Does anybody know why it isn't enabled by
default?


Because it's just a `kldload kgssapi` away. Put it in loader.conf or 
rc.conf depending on your needs/preferences.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-18 Thread Alan Somers

On Thu, Jun 16, 2016 at 7:20 AM, Chris H  wrote:
> On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov 
> wrote
>
>> On 06/14/2016 21:05, Marcelo Araujo wrote:
>> > 2016-06-15 8:17 GMT+08:00 Chris H :
>> >
>> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
>> >> wrote
>> >>
>> >>> Hey,
>> >>>
>> >>> Thanks for the CFT Craig.
>> >>>
>> >>> 2016-06-09 14:41 GMT+08:00 Xin Li :
>> >>>
>> 
>> 
>>  On 6/8/16 23:10, Craig Rodrigues wrote:
>> > Hi,
>> >
>> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
>> > current.
>> >
>> > In latest current, it should be possible to put in /etc/rc.conf:
>> >
>> > nis_ypldap_enable="YES"
>> > to activate the ypldap daemon.
>> >
>> > When set up properly, it should be possible to log into FreeBSD, and
>> >> have
>> > the backend password database come from an LDAP database such
>> > as OpenLDAP
>> >
>> > There is some documentation for setting this up, but it is OpenBSD
>>  specific:
>> >
>> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
>> > http://puffysecurity.com/wiki/ypldap.html#2
>> >
>> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
>> > information
>> > does not apply.  I figure that openldap from ports should work fine.
>> >
>> > I was wondering if there is someone out there familiar enough with
>> >> LDAP
>> > and has a setup they can test this stuff out with, provide feedback,
>> >> and
>> > help
>> > improve the documentation for FreeBSD?
>> 
>>  Looks like it would be a fun weekend project.  I've cc'ed a potential
>>  person who may be interested in this as well.
>> 
>>  But will this worth the effort? (I think the current implementation
>>  would do everything with plaintext protocol over wire, so while it
>>  extends life for legacy applications that are still using NIS/YP, it
>>  doesn't seem to be something that we should recommend end user to use?)
>> 
>> >>>
>> >>> I can see two good point to use ypldap that would be basically for users
>> >>> that needs to migrate from NIS to LDAP or need to make some integration
>> >>> between legacy(NIS) and LDAP during a transition period to LDAP.
>> >>>
>> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there
>> >> are
>> >>> still lots of people out there using NIS, and ypldap(8) is a good tool to
>> >>> help these people migrate to a more safe tool like LDAP.
>> >>>
>> >>>
>> 
>> > I would also be interested in hearing from someone who can see if
>> > ypldap can work against a Microsoft Active Directory setup?
>> 
>>  Cheers,
>> 
>> 
>> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
>> >> setup
>> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a good
>> >>> start to anybody that wants to start to work with ypldap(8).
>> >>>
>> >>> Would be nice hear from other users how was their experience using ypldap
>> >>> with MS Active Directory and perhaps some HOWTO how they made all the
>> >> setup
>> >>> would be amazing to have.
>> >>>
>> >>> Also, would be useful to know who are still using NIS and what kind of
>> >>> setup(user case), maybe even the reason why they are still using it.
>> >>
>> >> Honestly, I think the best way to motivate people to do the right
>> >> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
>> >> It's been dead for *years*, and as you say, isn't safe, anyway..
>> >>
>> >
>> > Yes, I have a plan for that, but I don't believe it will happens before
>> > FreeBSD 12-RELEASE.
>> >
>>
>> Please don't, at least for now. NIS is fast, simple, reliable, and works
>> on first boot without additional software. I have passwords in
>> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>>
>> It's not hurting anyone. What's the motivation behind removing it?
>
> In all honesty, my comment was somewhat tongue-in-cheek. But from
> a purely maintenance POV, at this point in time. I think the Yellow
> Pages are better suited for the ports tree, than in $BASE.
>

It will be hard to wean people off of NIS as long as KGSSAPI is
disabled in GENERIC.  Does anybody know why it isn't enabled by
default?

-Alan
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-16 Thread Chris H

On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov 
wrote

> On 06/14/2016 21:05, Marcelo Araujo wrote:
> > 2016-06-15 8:17 GMT+08:00 Chris H :
> > 
> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
> >> wrote
> >>
> >>> Hey,
> >>>
> >>> Thanks for the CFT Craig.
> >>>
> >>> 2016-06-09 14:41 GMT+08:00 Xin Li :
> >>>
> 
> 
>  On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and
> >> have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
>  specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply.  I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with
> >> LDAP
> > and has a setup they can test this stuff out with, provide feedback,
> >> and
> > help
> > improve the documentation for FreeBSD?
> 
>  Looks like it would be a fun weekend project.  I've cc'ed a potential
>  person who may be interested in this as well.
> 
>  But will this worth the effort? (I think the current implementation
>  would do everything with plaintext protocol over wire, so while it
>  extends life for legacy applications that are still using NIS/YP, it
>  doesn't seem to be something that we should recommend end user to use?)
> 
> >>>
> >>> I can see two good point to use ypldap that would be basically for users
> >>> that needs to migrate from NIS to LDAP or need to make some integration
> >>> between legacy(NIS) and LDAP during a transition period to LDAP.
> >>>
> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there
> >> are
> >>> still lots of people out there using NIS, and ypldap(8) is a good tool to
> >>> help these people migrate to a more safe tool like LDAP.
> >>>
> >>>
> 
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
> 
>  Cheers,
> 
> 
> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
> >> setup
> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a good
> >>> start to anybody that wants to start to work with ypldap(8).
> >>>
> >>> Would be nice hear from other users how was their experience using ypldap
> >>> with MS Active Directory and perhaps some HOWTO how they made all the
> >> setup
> >>> would be amazing to have.
> >>>
> >>> Also, would be useful to know who are still using NIS and what kind of
> >>> setup(user case), maybe even the reason why they are still using it.
> >>
> >> Honestly, I think the best way to motivate people to do the right
> >> thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
> >> It's been dead for *years*, and as you say, isn't safe, anyway..
> >>
> > 
> > Yes, I have a plan for that, but I don't believe it will happens before
> > FreeBSD 12-RELEASE.
> > 
> 
> Please don't, at least for now. NIS is fast, simple, reliable, and works
> on first boot without additional software. I have passwords in
> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
> 
> It's not hurting anyone. What's the motivation behind removing it?

In all honesty, my comment was somewhat tongue-in-cheek. But from
a purely maintenance POV, at this point in time. I think the Yellow
Pages are better suited for the ports tree, than in $BASE.

--Chris
> 
> > 
> >>
> >> --Chris
> >>>
> >>>
> >>> Best,
> >>> --
> >>>
> >>> --
> >>> Marcelo Araujo(__)ara...@freebsd.org


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-15 Thread Marcelo Araujo

I hear too!!! And that is why we are having this talk here around ypldap.

Best,

2016-06-16 10:50 GMT+08:00 Outback Dingo :

>
>
> On Wed, Jun 15, 2016 at 10:15 PM, Marcelo Araujo 
> wrote:
>
>> No worries Nikolai! If one day I will do it, will be on 12-RELEASE.
>>
>> Br,
>>
>> 2016-06-15 20:03 GMT+08:00 Nikolai Lifanov :
>>
>> > On 06/14/2016 21:05, Marcelo Araujo wrote:
>> > > 2016-06-15 8:17 GMT+08:00 Chris H :
>> > >
>> > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <
>> > araujobsdp...@gmail.com>
>> > >> wrote
>> > >>
>> > >>> Hey,
>> > >>>
>> > >>> Thanks for the CFT Craig.
>> > >>>
>> > >>> 2016-06-09 14:41 GMT+08:00 Xin Li :
>> > >>>
>> > 
>> > 
>> >  On 6/8/16 23:10, Craig Rodrigues wrote:
>> > > Hi,
>> > >
>> > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to
>> FreeBSD
>> > > current.
>> > >
>> > > In latest current, it should be possible to put in /etc/rc.conf:
>> > >
>> > > nis_ypldap_enable="YES"
>> > > to activate the ypldap daemon.
>> > >
>> > > When set up properly, it should be possible to log into FreeBSD,
>> and
>> > >> have
>> > > the backend password database come from an LDAP database such
>> > > as OpenLDAP
>> > >
>> > > There is some documentation for setting this up, but it is OpenBSD
>> >  specific:
>> > >
>> > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
>> > > http://puffysecurity.com/wiki/ypldap.html#2
>> > >
>> > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so
>> that
>> > > information
>> > > does not apply.  I figure that openldap from ports should work
>> fine.
>> > >
>> > > I was wondering if there is someone out there familiar enough with
>> > >> LDAP
>> > > and has a setup they can test this stuff out with, provide
>> feedback,
>> > >> and
>> > > help
>> > > improve the documentation for FreeBSD?
>> > 
>> >  Looks like it would be a fun weekend project.  I've cc'ed a
>> potential
>> >  person who may be interested in this as well.
>> > 
>> >  But will this worth the effort? (I think the current implementation
>> >  would do everything with plaintext protocol over wire, so while it
>> >  extends life for legacy applications that are still using NIS/YP,
>> it
>> >  doesn't seem to be something that we should recommend end user to
>> > use?)
>> > 
>> > >>>
>> > >>> I can see two good point to use ypldap that would be basically for
>> > users
>> > >>> that needs to migrate from NIS to LDAP or need to make some
>> integration
>> > >>> between legacy(NIS) and LDAP during a transition period to LDAP.
>> > >>>
>> > >>> As mentioned, NIS is 'plain text' not safe by its nature, however
>> there
>> > >> are
>> > >>> still lots of people out there using NIS, and ypldap(8) is a good
>> tool
>> > to
>> > >>> help these people migrate to a more safe tool like LDAP.
>> > >>>
>> > >>>
>> > 
>> > > I would also be interested in hearing from someone who can see if
>> > > ypldap can work against a Microsoft Active Directory setup?
>> > 
>> >  Cheers,
>> > 
>> > 
>> > >>> All my tests were using OpenLDAP, I used the OpenBSD documentation
>> to
>> > >> setup
>> > >>> everything, and the file share/examples/ypldap/ypldap.conf can be a
>> > good
>> > >>> start to anybody that wants to start to work with ypldap(8).
>> > >>>
>> > >>> Would be nice hear from other users how was their experience using
>> > ypldap
>> > >>> with MS Active Directory and perhaps some HOWTO how they made all
>> the
>> > >> setup
>> > >>> would be amazing to have.
>> > >>>
>> > >>> Also, would be useful to know who are still using NIS and what kind
>> of
>> > >>> setup(user case), maybe even the reason why they are still using it.
>> > >>
>> > >> Honestly, I think the best way to motivate people to do the right
>> > thing(tm)
>> > >> Would be to remove Yellow Pages from the tree, entirely. :-)
>> > >> It's been dead for *years*, and as you say, isn't safe, anyway..
>> > >>
>> > >
>> > > Yes, I have a plan for that, but I don't believe it will happens
>> before
>> > > FreeBSD 12-RELEASE.
>> > >
>> >
>> > Please don't, at least for now. NIS is fast, simple, reliable, and works
>> > on first boot without additional software. I have passwords in
>> > Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>> >
>> > It's not hurting anyone. What's the motivation behind removing it?
>>
>
>
> Removing NIS is a BAD idea, there are still plenty of people that use it,
> and plenty of businesses rely on it, I still hear people asking for it
>
>
>
>> >
>> > >
>> > >>
>> > >> --Chris
>> > >>>
>> > >>>
>> > >>> Best,
>> > >>> --
>> > >>>
>> > >>> --
>> > >>> Marcelo Araujo(__)ara...@freebsd.org
>> > >>> \\\'',)http://www.FreeBSD.org    \/  \ ^
>> > >>> Power To Server. .\. /_)
>> > >>> ___
>>

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-15 Thread Outback Dingo

On Wed, Jun 15, 2016 at 10:15 PM, Marcelo Araujo 
wrote:

> No worries Nikolai! If one day I will do it, will be on 12-RELEASE.
>
> Br,
>
> 2016-06-15 20:03 GMT+08:00 Nikolai Lifanov :
>
> > On 06/14/2016 21:05, Marcelo Araujo wrote:
> > > 2016-06-15 8:17 GMT+08:00 Chris H :
> > >
> > >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <
> > araujobsdp...@gmail.com>
> > >> wrote
> > >>
> > >>> Hey,
> > >>>
> > >>> Thanks for the CFT Craig.
> > >>>
> > >>> 2016-06-09 14:41 GMT+08:00 Xin Li :
> > >>>
> > 
> > 
> >  On 6/8/16 23:10, Craig Rodrigues wrote:
> > > Hi,
> > >
> > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to
> FreeBSD
> > > current.
> > >
> > > In latest current, it should be possible to put in /etc/rc.conf:
> > >
> > > nis_ypldap_enable="YES"
> > > to activate the ypldap daemon.
> > >
> > > When set up properly, it should be possible to log into FreeBSD,
> and
> > >> have
> > > the backend password database come from an LDAP database such
> > > as OpenLDAP
> > >
> > > There is some documentation for setting this up, but it is OpenBSD
> >  specific:
> > >
> > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > > http://puffysecurity.com/wiki/ypldap.html#2
> > >
> > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so
> that
> > > information
> > > does not apply.  I figure that openldap from ports should work
> fine.
> > >
> > > I was wondering if there is someone out there familiar enough with
> > >> LDAP
> > > and has a setup they can test this stuff out with, provide
> feedback,
> > >> and
> > > help
> > > improve the documentation for FreeBSD?
> > 
> >  Looks like it would be a fun weekend project.  I've cc'ed a
> potential
> >  person who may be interested in this as well.
> > 
> >  But will this worth the effort? (I think the current implementation
> >  would do everything with plaintext protocol over wire, so while it
> >  extends life for legacy applications that are still using NIS/YP, it
> >  doesn't seem to be something that we should recommend end user to
> > use?)
> > 
> > >>>
> > >>> I can see two good point to use ypldap that would be basically for
> > users
> > >>> that needs to migrate from NIS to LDAP or need to make some
> integration
> > >>> between legacy(NIS) and LDAP during a transition period to LDAP.
> > >>>
> > >>> As mentioned, NIS is 'plain text' not safe by its nature, however
> there
> > >> are
> > >>> still lots of people out there using NIS, and ypldap(8) is a good
> tool
> > to
> > >>> help these people migrate to a more safe tool like LDAP.
> > >>>
> > >>>
> > 
> > > I would also be interested in hearing from someone who can see if
> > > ypldap can work against a Microsoft Active Directory setup?
> > 
> >  Cheers,
> > 
> > 
> > >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
> > >> setup
> > >>> everything, and the file share/examples/ypldap/ypldap.conf can be a
> > good
> > >>> start to anybody that wants to start to work with ypldap(8).
> > >>>
> > >>> Would be nice hear from other users how was their experience using
> > ypldap
> > >>> with MS Active Directory and perhaps some HOWTO how they made all the
> > >> setup
> > >>> would be amazing to have.
> > >>>
> > >>> Also, would be useful to know who are still using NIS and what kind
> of
> > >>> setup(user case), maybe even the reason why they are still using it.
> > >>
> > >> Honestly, I think the best way to motivate people to do the right
> > thing(tm)
> > >> Would be to remove Yellow Pages from the tree, entirely. :-)
> > >> It's been dead for *years*, and as you say, isn't safe, anyway..
> > >>
> > >
> > > Yes, I have a plan for that, but I don't believe it will happens before
> > > FreeBSD 12-RELEASE.
> > >
> >
> > Please don't, at least for now. NIS is fast, simple, reliable, and works
> > on first boot without additional software. I have passwords in
> > Kerberos, so the usual cons doesn't apply. This is very valuable to me.
> >
> > It's not hurting anyone. What's the motivation behind removing it?
>


Removing NIS is a BAD idea, there are still plenty of people that use it,
and plenty of businesses rely on it, I still hear people asking for it



> >
> > >
> > >>
> > >> --Chris
> > >>>
> > >>>
> > >>> Best,
> > >>> --
> > >>>
> > >>> --
> > >>> Marcelo Araujo(__)ara...@freebsd.org
> > >>> \\\'',)http://www.FreeBSD.org    \/  \ ^
> > >>> Power To Server. .\. /_)
> > >>> ___
> > >>> freebsd-current@freebsd.org mailing list
> > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > >>> To unsubscribe, send any mail to "
> > >> freebsd-current-unsubscr...@freebsd.org"
> > >>
> > >>
> > >> ___
> > >> freebsd-curre

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-15 Thread Marcelo Araujo

No worries Nikolai! If one day I will do it, will be on 12-RELEASE.

Br,

2016-06-15 20:03 GMT+08:00 Nikolai Lifanov :

> On 06/14/2016 21:05, Marcelo Araujo wrote:
> > 2016-06-15 8:17 GMT+08:00 Chris H :
> >
> >> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <
> araujobsdp...@gmail.com>
> >> wrote
> >>
> >>> Hey,
> >>>
> >>> Thanks for the CFT Craig.
> >>>
> >>> 2016-06-09 14:41 GMT+08:00 Xin Li :
> >>>
> 
> 
>  On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and
> >> have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
>  specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply.  I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with
> >> LDAP
> > and has a setup they can test this stuff out with, provide feedback,
> >> and
> > help
> > improve the documentation for FreeBSD?
> 
>  Looks like it would be a fun weekend project.  I've cc'ed a potential
>  person who may be interested in this as well.
> 
>  But will this worth the effort? (I think the current implementation
>  would do everything with plaintext protocol over wire, so while it
>  extends life for legacy applications that are still using NIS/YP, it
>  doesn't seem to be something that we should recommend end user to
> use?)
> 
> >>>
> >>> I can see two good point to use ypldap that would be basically for
> users
> >>> that needs to migrate from NIS to LDAP or need to make some integration
> >>> between legacy(NIS) and LDAP during a transition period to LDAP.
> >>>
> >>> As mentioned, NIS is 'plain text' not safe by its nature, however there
> >> are
> >>> still lots of people out there using NIS, and ypldap(8) is a good tool
> to
> >>> help these people migrate to a more safe tool like LDAP.
> >>>
> >>>
> 
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
> 
>  Cheers,
> 
> 
> >>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
> >> setup
> >>> everything, and the file share/examples/ypldap/ypldap.conf can be a
> good
> >>> start to anybody that wants to start to work with ypldap(8).
> >>>
> >>> Would be nice hear from other users how was their experience using
> ypldap
> >>> with MS Active Directory and perhaps some HOWTO how they made all the
> >> setup
> >>> would be amazing to have.
> >>>
> >>> Also, would be useful to know who are still using NIS and what kind of
> >>> setup(user case), maybe even the reason why they are still using it.
> >>
> >> Honestly, I think the best way to motivate people to do the right
> thing(tm)
> >> Would be to remove Yellow Pages from the tree, entirely. :-)
> >> It's been dead for *years*, and as you say, isn't safe, anyway..
> >>
> >
> > Yes, I have a plan for that, but I don't believe it will happens before
> > FreeBSD 12-RELEASE.
> >
>
> Please don't, at least for now. NIS is fast, simple, reliable, and works
> on first boot without additional software. I have passwords in
> Kerberos, so the usual cons doesn't apply. This is very valuable to me.
>
> It's not hurting anyone. What's the motivation behind removing it?
>
> >
> >>
> >> --Chris
> >>>
> >>>
> >>> Best,
> >>> --
> >>>
> >>> --
> >>> Marcelo Araujo(__)ara...@freebsd.org
> >>> \\\'',)http://www.FreeBSD.org    \/  \ ^
> >>> Power To Server. .\. /_)
> >>> ___
> >>> freebsd-current@freebsd.org mailing list
> >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> >>> To unsubscribe, send any mail to "
> >> freebsd-current-unsubscr...@freebsd.org"
> >>
> >>
> >> ___
> >> freebsd-current@freebsd.org mailing list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> >> To unsubscribe, send any mail to "
> freebsd-current-unsubscr...@freebsd.org"
> >>
> >
> >
> >
>
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>



-- 

-- 
Marcelo Araujo(__)ara...@freebsd.org
\\\'',)ht

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-15 Thread Nikolai Lifanov

On 06/14/2016 21:05, Marcelo Araujo wrote:
> 2016-06-15 8:17 GMT+08:00 Chris H :
> 
>> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
>> wrote
>>
>>> Hey,
>>>
>>> Thanks for the CFT Craig.
>>>
>>> 2016-06-09 14:41 GMT+08:00 Xin Li :
>>>


 On 6/8/16 23:10, Craig Rodrigues wrote:
> Hi,
>
> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> current.
>
> In latest current, it should be possible to put in /etc/rc.conf:
>
> nis_ypldap_enable="YES"
> to activate the ypldap daemon.
>
> When set up properly, it should be possible to log into FreeBSD, and
>> have
> the backend password database come from an LDAP database such
> as OpenLDAP
>
> There is some documentation for setting this up, but it is OpenBSD
 specific:
>
> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> http://puffysecurity.com/wiki/ypldap.html#2
>
> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> information
> does not apply.  I figure that openldap from ports should work fine.
>
> I was wondering if there is someone out there familiar enough with
>> LDAP
> and has a setup they can test this stuff out with, provide feedback,
>> and
> help
> improve the documentation for FreeBSD?

 Looks like it would be a fun weekend project.  I've cc'ed a potential
 person who may be interested in this as well.

 But will this worth the effort? (I think the current implementation
 would do everything with plaintext protocol over wire, so while it
 extends life for legacy applications that are still using NIS/YP, it
 doesn't seem to be something that we should recommend end user to use?)

>>>
>>> I can see two good point to use ypldap that would be basically for users
>>> that needs to migrate from NIS to LDAP or need to make some integration
>>> between legacy(NIS) and LDAP during a transition period to LDAP.
>>>
>>> As mentioned, NIS is 'plain text' not safe by its nature, however there
>> are
>>> still lots of people out there using NIS, and ypldap(8) is a good tool to
>>> help these people migrate to a more safe tool like LDAP.
>>>
>>>

> I would also be interested in hearing from someone who can see if
> ypldap can work against a Microsoft Active Directory setup?

 Cheers,


>>> All my tests were using OpenLDAP, I used the OpenBSD documentation to
>> setup
>>> everything, and the file share/examples/ypldap/ypldap.conf can be a good
>>> start to anybody that wants to start to work with ypldap(8).
>>>
>>> Would be nice hear from other users how was their experience using ypldap
>>> with MS Active Directory and perhaps some HOWTO how they made all the
>> setup
>>> would be amazing to have.
>>>
>>> Also, would be useful to know who are still using NIS and what kind of
>>> setup(user case), maybe even the reason why they are still using it.
>>
>> Honestly, I think the best way to motivate people to do the right thing(tm)
>> Would be to remove Yellow Pages from the tree, entirely. :-)
>> It's been dead for *years*, and as you say, isn't safe, anyway..
>>
> 
> Yes, I have a plan for that, but I don't believe it will happens before
> FreeBSD 12-RELEASE.
> 

Please don't, at least for now. NIS is fast, simple, reliable, and works
on first boot without additional software. I have passwords in
Kerberos, so the usual cons doesn't apply. This is very valuable to me.

It's not hurting anyone. What's the motivation behind removing it?

> 
>>
>> --Chris
>>>
>>>
>>> Best,
>>> --
>>>
>>> --
>>> Marcelo Araujo(__)ara...@freebsd.org
>>> \\\'',)http://www.FreeBSD.org    \/  \ ^
>>> Power To Server. .\. /_)
>>> ___
>>> freebsd-current@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to "
>> freebsd-current-unsubscr...@freebsd.org"
>>
>>
>> ___
>> freebsd-current@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>>
> 
> 
> 

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-15 Thread Daniel Braniss


> On 15 Jun 2016, at 04:22, David Wolfskill  wrote:
> 
> On Tue, Jun 14, 2016 at 05:17:19PM -0700, Chris H wrote:
>> ...
>> Honestly, I think the best way to motivate people to do the right thing(tm)
>> Would be to remove Yellow Pages from the tree, entirely. :-)
>> It's been dead for *years*, and as you say, isn't safe, anyway..
>> 
> 
> "Safe" for what, precisely?
> 
> It's a lookup service.  It is not limited to looking up authentication
> information, and never has been.
> 
> And it's a mechanism that has been widely implemented.
> 
> The catchphrase "Tools, not policy" comes to mind.
> 
> Peace,
> david

probably this is a bit too late, but we have been using MIT’s DNS/Hesiod since 
the days
when:
ypserver not responding
was popular, and true, it’s not only for password/group.

my .5 cents

danny


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-14 Thread David Wolfskill

On Tue, Jun 14, 2016 at 05:17:19PM -0700, Chris H wrote:
> ...
> Honestly, I think the best way to motivate people to do the right thing(tm)
> Would be to remove Yellow Pages from the tree, entirely. :-)
> It's been dead for *years*, and as you say, isn't safe, anyway..
> 

"Safe" for what, precisely?

It's a lookup service.  It is not limited to looking up authentication
information, and never has been.

And it's a mechanism that has been widely implemented.

The catchphrase "Tools, not policy" comes to mind.

Peace,
david
-- 
David H. Wolfskill  da...@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

signature.asc
Description: PGP signature

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-14 Thread Marcelo Araujo

2016-06-15 8:17 GMT+08:00 Chris H :

> On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
> wrote
>
> > Hey,
> >
> > Thanks for the CFT Craig.
> >
> > 2016-06-09 14:41 GMT+08:00 Xin Li :
> >
> > >
> > >
> > > On 6/8/16 23:10, Craig Rodrigues wrote:
> > > > Hi,
> > > >
> > > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > > > current.
> > > >
> > > > In latest current, it should be possible to put in /etc/rc.conf:
> > > >
> > > > nis_ypldap_enable="YES"
> > > > to activate the ypldap daemon.
> > > >
> > > > When set up properly, it should be possible to log into FreeBSD, and
> have
> > > > the backend password database come from an LDAP database such
> > > > as OpenLDAP
> > > >
> > > > There is some documentation for setting this up, but it is OpenBSD
> > > specific:
> > > >
> > > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > > > http://puffysecurity.com/wiki/ypldap.html#2
> > > >
> > > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > > > information
> > > > does not apply.  I figure that openldap from ports should work fine.
> > > >
> > > > I was wondering if there is someone out there familiar enough with
> LDAP
> > > > and has a setup they can test this stuff out with, provide feedback,
> and
> > > > help
> > > > improve the documentation for FreeBSD?
> > >
> > > Looks like it would be a fun weekend project.  I've cc'ed a potential
> > > person who may be interested in this as well.
> > >
> > > But will this worth the effort? (I think the current implementation
> > > would do everything with plaintext protocol over wire, so while it
> > > extends life for legacy applications that are still using NIS/YP, it
> > > doesn't seem to be something that we should recommend end user to use?)
> > >
> >
> > I can see two good point to use ypldap that would be basically for users
> > that needs to migrate from NIS to LDAP or need to make some integration
> > between legacy(NIS) and LDAP during a transition period to LDAP.
> >
> > As mentioned, NIS is 'plain text' not safe by its nature, however there
> are
> > still lots of people out there using NIS, and ypldap(8) is a good tool to
> > help these people migrate to a more safe tool like LDAP.
> >
> >
> > >
> > > > I would also be interested in hearing from someone who can see if
> > > > ypldap can work against a Microsoft Active Directory setup?
> > >
> > > Cheers,
> > >
> > >
> > All my tests were using OpenLDAP, I used the OpenBSD documentation to
> setup
> > everything, and the file share/examples/ypldap/ypldap.conf can be a good
> > start to anybody that wants to start to work with ypldap(8).
> >
> > Would be nice hear from other users how was their experience using ypldap
> > with MS Active Directory and perhaps some HOWTO how they made all the
> setup
> > would be amazing to have.
> >
> > Also, would be useful to know who are still using NIS and what kind of
> > setup(user case), maybe even the reason why they are still using it.
>
> Honestly, I think the best way to motivate people to do the right thing(tm)
> Would be to remove Yellow Pages from the tree, entirely. :-)
> It's been dead for *years*, and as you say, isn't safe, anyway..
>

Yes, I have a plan for that, but I don't believe it will happens before
FreeBSD 12-RELEASE.


>
> --Chris
> >
> >
> > Best,
> > --
> >
> > --
> > Marcelo Araujo(__)ara...@freebsd.org
> > \\\'',)http://www.FreeBSD.org    \/  \ ^
> > Power To Server. .\. /_)
> > ___
> > freebsd-current@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "
> freebsd-current-unsubscr...@freebsd.org"
>
>
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>



-- 

-- 
Marcelo Araujo(__)ara...@freebsd.org
\\\'',)http://www.FreeBSD.org    \/  \ ^
Power To Server. .\. /_)
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-14 Thread Chris H

On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo 
wrote

> Hey,
> 
> Thanks for the CFT Craig.
> 
> 2016-06-09 14:41 GMT+08:00 Xin Li :
> 
> >
> >
> > On 6/8/16 23:10, Craig Rodrigues wrote:
> > > Hi,
> > >
> > > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > > current.
> > >
> > > In latest current, it should be possible to put in /etc/rc.conf:
> > >
> > > nis_ypldap_enable="YES"
> > > to activate the ypldap daemon.
> > >
> > > When set up properly, it should be possible to log into FreeBSD, and have
> > > the backend password database come from an LDAP database such
> > > as OpenLDAP
> > >
> > > There is some documentation for setting this up, but it is OpenBSD
> > specific:
> > >
> > > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > > http://puffysecurity.com/wiki/ypldap.html#2
> > >
> > > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > > information
> > > does not apply.  I figure that openldap from ports should work fine.
> > >
> > > I was wondering if there is someone out there familiar enough with LDAP
> > > and has a setup they can test this stuff out with, provide feedback, and
> > > help
> > > improve the documentation for FreeBSD?
> >
> > Looks like it would be a fun weekend project.  I've cc'ed a potential
> > person who may be interested in this as well.
> >
> > But will this worth the effort? (I think the current implementation
> > would do everything with plaintext protocol over wire, so while it
> > extends life for legacy applications that are still using NIS/YP, it
> > doesn't seem to be something that we should recommend end user to use?)
> >
> 
> I can see two good point to use ypldap that would be basically for users
> that needs to migrate from NIS to LDAP or need to make some integration
> between legacy(NIS) and LDAP during a transition period to LDAP.
> 
> As mentioned, NIS is 'plain text' not safe by its nature, however there are
> still lots of people out there using NIS, and ypldap(8) is a good tool to
> help these people migrate to a more safe tool like LDAP.
> 
> 
> >
> > > I would also be interested in hearing from someone who can see if
> > > ypldap can work against a Microsoft Active Directory setup?
> >
> > Cheers,
> >
> >
> All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
> everything, and the file share/examples/ypldap/ypldap.conf can be a good
> start to anybody that wants to start to work with ypldap(8).
> 
> Would be nice hear from other users how was their experience using ypldap
> with MS Active Directory and perhaps some HOWTO how they made all the setup
> would be amazing to have.
> 
> Also, would be useful to know who are still using NIS and what kind of
> setup(user case), maybe even the reason why they are still using it.

Honestly, I think the best way to motivate people to do the right thing(tm)
Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..

--Chris
> 
> 
> Best,
> -- 
> 
> -- 
> Marcelo Araujo(__)ara...@freebsd.org
> \\\'',)http://www.FreeBSD.org    \/  \ ^
> Power To Server. .\. /_)
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-14 Thread Eric van Gyzen

On 06/ 9/16 05:49 PM, Matthew Seaman wrote:
> On 09/06/2016 18:34, Craig Rodrigues wrote:
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database.  I believe it works with AD, but haven't tried that
> myself.

nss-pam-ldapd works very well with Active Directory.  At work, dozens of
people use it on their workstations and hundreds of people use it on the
build servers.  We've been doing this for years with no issues.  Well,
we've caused some issues for ourselves, of course...  ;)

Eric
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-13 Thread Jan Bramkamp




On 10/06/16 16:29, Peter Wemm wrote:

On 6/9/16 6:49 PM, Matthew Seaman wrote:

On 09/06/2016 18:34, Craig Rodrigues wrote:

There is still value to ypldap as it is now, and getting feedback from
users (especially Active Directory) would be very useful.
If someone could document a configuration which uses IPSEC or OpenSSH
forwarding, that would be nice.

In future, maybe someone in OpenBSD or FreeBSD will implement things
like
LDAP over SSL.


What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
transit, and I find it works very well for using OpenLDAP as a central
account database.  I believe it works with AD, but haven't tried that
myself.

Cheers,

Matthew




We used nss-pam-ldapd quite successfully in the freebsd.org cluster
during our transition away from YP/NIS, for what it's worth.


Did you try the OpenLDAP nssov overlay? It replaces nslcd by 
reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap 
directly inside slapd. This allows slapd to cache or replicate the data 
locally without resorting to the broken nscd.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-10 Thread Peter Wemm


On 6/9/16 6:49 PM, Matthew Seaman wrote:

On 09/06/2016 18:34, Craig Rodrigues wrote:

There is still value to ypldap as it is now, and getting feedback from
users (especially Active Directory) would be very useful.
If someone could document a configuration which uses IPSEC or OpenSSH
forwarding, that would be nice.

In future, maybe someone in OpenBSD or FreeBSD will implement things like
LDAP over SSL.


What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
transit, and I find it works very well for using OpenLDAP as a central
account database.  I believe it works with AD, but haven't tried that
myself.

Cheers,

Matthew




We used nss-pam-ldapd quite successfully in the freebsd.org cluster during 
our transition away from YP/NIS, for what it's worth.


--
Peter Wemm - pe...@wemm.org; pe...@freebsd.org; pe...@yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-09 Thread Matthew Seaman

On 09/06/2016 18:34, Craig Rodrigues wrote:
> There is still value to ypldap as it is now, and getting feedback from
> users (especially Active Directory) would be very useful.
> If someone could document a configuration which uses IPSEC or OpenSSH
> forwarding, that would be nice.
> 
> In future, maybe someone in OpenBSD or FreeBSD will implement things like
> LDAP over SSL.

What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
transit, and I find it works very well for using OpenLDAP as a central
account database.  I believe it works with AD, but haven't tried that
myself.

Cheers,

Matthew

signature.asc
Description: OpenPGP digital signature

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-09 Thread Craig Rodrigues

On Wed, Jun 8, 2016 at 11:41 PM, Xin Li  wrote:

>
> (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
>

You are correct.  This document http://puffysecurity.com/wiki/ypldap.html#2
states:

#
# ypldap cant use SSL or SASL...
# You must allow unsecured authentication with the following line
# Then setup OpenIKED VPN or use OpenSSH Socket or Port Forwording
#

There is still value to ypldap as it is now, and getting feedback from
users (especially Active Directory) would be very useful.
If someone could document a configuration which uses IPSEC or OpenSSH
forwarding, that would be nice.

In future, maybe someone in OpenBSD or FreeBSD will implement things like
LDAP over SSL.

--
Craig
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-09 Thread Marcelo Araujo

Hey,

Thanks for the CFT Craig.

2016-06-09 14:41 GMT+08:00 Xin Li :

>
>
> On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
> specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply.  I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with LDAP
> > and has a setup they can test this stuff out with, provide feedback, and
> > help
> > improve the documentation for FreeBSD?
>
> Looks like it would be a fun weekend project.  I've cc'ed a potential
> person who may be interested in this as well.
>
> But will this worth the effort? (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
> extends life for legacy applications that are still using NIS/YP, it
> doesn't seem to be something that we should recommend end user to use?)
>

I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.

As mentioned, NIS is 'plain text' not safe by its nature, however there are
still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.


>
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
>
> Cheers,
>
>
All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).

Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the setup
would be amazing to have.

Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.


Best,
-- 

-- 
Marcelo Araujo(__)ara...@freebsd.org
\\\'',)http://www.FreeBSD.org    \/  \ ^
Power To Server. .\. /_)
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-08 Thread Xin Li



On 6/8/16 23:10, Craig Rodrigues wrote:
> Hi,
> 
> I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> current.
> 
> In latest current, it should be possible to put in /etc/rc.conf:
> 
> nis_ypldap_enable="YES"
> to activate the ypldap daemon.
> 
> When set up properly, it should be possible to log into FreeBSD, and have
> the backend password database come from an LDAP database such
> as OpenLDAP
> 
> There is some documentation for setting this up, but it is OpenBSD specific:
> 
> http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> http://puffysecurity.com/wiki/ypldap.html#2
> 
> I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> information
> does not apply.  I figure that openldap from ports should work fine.
> 
> I was wondering if there is someone out there familiar enough with LDAP
> and has a setup they can test this stuff out with, provide feedback, and
> help
> improve the documentation for FreeBSD?

Looks like it would be a fun weekend project.  I've cc'ed a potential
person who may be interested in this as well.

But will this worth the effort? (I think the current implementation
would do everything with plaintext protocol over wire, so while it
extends life for legacy applications that are still using NIS/YP, it
doesn't seem to be something that we should recommend end user to use?)

> I would also be interested in hearing from someone who can see if
> ypldap can work against a Microsoft Active Directory setup?

Cheers,



signature.asc
Description: OpenPGP digital signature

[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

2016-06-08 Thread Craig Rodrigues

Hi,

I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
current.

In latest current, it should be possible to put in /etc/rc.conf:

nis_ypldap_enable="YES"
to activate the ypldap daemon.

When set up properly, it should be possible to log into FreeBSD, and have
the backend password database come from an LDAP database such
as OpenLDAP

There is some documentation for setting this up, but it is OpenBSD specific:

http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
http://puffysecurity.com/wiki/ypldap.html#2

I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
information
does not apply.  I figure that openldap from ports should work fine.

I was wondering if there is someone out there familiar enough with LDAP
and has a setup they can test this stuff out with, provide feedback, and
help
improve the documentation for FreeBSD?

I would also be interested in hearing from someone who can see if
ypldap can work against a Microsoft Active Directory setup?

Thanks.
--
Craig
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Re: [CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

21 matches

Site Navigation

Mail list logo

Footer information