Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory
69 views
Skip to first unread message
Craig Rodrigues
Jun 9, 2016, 2:10:30 AM6/9/16
to freebsd-current Current
Hi,
I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
current.
In latest current, it should be possible to put in /etc/rc.conf:
nis_ypldap_enable="YES"
to activate the ypldap daemon.
When set up properly, it should be possible to log into FreeBSD, and have
the backend password database come from an LDAP database such
as OpenLDAP
There is some documentation for setting this up, but it is OpenBSD specific:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
http://puffysecurity.com/wiki/ypldap.html#2
I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
information
does not apply. I figure that openldap from ports should work fine.
I was wondering if there is someone out there familiar enough with LDAP
and has a setup they can test this stuff out with, provide feedback, and
help
improve the documentation for FreeBSD?
I would also be interested in hearing from someone who can see if
ypldap can work against a Microsoft Active Directory setup?
Thanks.
--
Craig
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"
I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
current.
In latest current, it should be possible to put in /etc/rc.conf:
nis_ypldap_enable="YES"
to activate the ypldap daemon.
When set up properly, it should be possible to log into FreeBSD, and have
the backend password database come from an LDAP database such
as OpenLDAP
There is some documentation for setting this up, but it is OpenBSD specific:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
http://puffysecurity.com/wiki/ypldap.html#2
I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
information
does not apply. I figure that openldap from ports should work fine.
I was wondering if there is someone out there familiar enough with LDAP
and has a setup they can test this stuff out with, provide feedback, and
help
improve the documentation for FreeBSD?
I would also be interested in hearing from someone who can see if
ypldap can work against a Microsoft Active Directory setup?
Thanks.
--
Craig
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"
Marcelo Araujo
Jun 9, 2016, 5:56:23 AM6/9/16
to Xin Li, Craig Rodrigues, freebsd-current Current, Xin LI, 赵新
Hey,
Thanks for the CFT Craig.
2016-06-09 14:41 GMT+08:00 Xin Li <del...@delphij.net>:
>
>
> On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
> specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply. I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with LDAP
> > and has a setup they can test this stuff out with, provide feedback, and
> > help
> > improve the documentation for FreeBSD?
>
> Looks like it would be a fun weekend project. I've cc'ed a potential
> person who may be interested in this as well.
>
> But will this worth the effort? (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
> extends life for legacy applications that are still using NIS/YP, it
> doesn't seem to be something that we should recommend end user to use?)
>
I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.
As mentioned, NIS is 'plain text' not safe by its nature, however there are
still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.
>
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
>
> Cheers,
>
>
All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).
Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the setup
would be amazing to have.
Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.
Best,
--
--
Marcelo Araujo (__)ara...@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
Power To Server. .\. /_)
Thanks for the CFT Craig.
2016-06-09 14:41 GMT+08:00 Xin Li <del...@delphij.net>:
>
>
> On 6/8/16 23:10, Craig Rodrigues wrote:
> > Hi,
> >
> > I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
> > current.
> >
> > In latest current, it should be possible to put in /etc/rc.conf:
> >
> > nis_ypldap_enable="YES"
> > to activate the ypldap daemon.
> >
> > When set up properly, it should be possible to log into FreeBSD, and have
> > the backend password database come from an LDAP database such
> > as OpenLDAP
> >
> > There is some documentation for setting this up, but it is OpenBSD
> specific:
> >
> > http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
> > http://puffysecurity.com/wiki/ypldap.html#2
> >
> > I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
> > information
> > does not apply. I figure that openldap from ports should work fine.
> >
> > I was wondering if there is someone out there familiar enough with LDAP
> > and has a setup they can test this stuff out with, provide feedback, and
> > help
> > improve the documentation for FreeBSD?
>
> person who may be interested in this as well.
>
> But will this worth the effort? (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
> extends life for legacy applications that are still using NIS/YP, it
> doesn't seem to be something that we should recommend end user to use?)
>
I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.
As mentioned, NIS is 'plain text' not safe by its nature, however there are
still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.
>
> > I would also be interested in hearing from someone who can see if
> > ypldap can work against a Microsoft Active Directory setup?
>
>
>
All my tests were using OpenLDAP, I used the OpenBSD documentation to setup
everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).
Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the setup
would be amazing to have.
Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.
Best,
--
--
Marcelo Araujo (__)ara...@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
Power To Server. .\. /_)
Craig Rodrigues
Jun 9, 2016, 6:34:35 PM6/9/16
to freebsd-current Current, 赵新
On Wed, Jun 8, 2016 at 11:41 PM, Xin Li <del...@delphij.net> wrote:
>
> (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
>
You are correct. This document http://puffysecurity.com/wiki/ypldap.html#2
>
> (I think the current implementation
> would do everything with plaintext protocol over wire, so while it
>
states:
#
# ypldap cant use SSL or SASL...
# You must allow unsecured authentication with the following line
# Then setup OpenIKED VPN or use OpenSSH Socket or Port Forwording
#
There is still value to ypldap as it is now, and getting feedback from
users (especially Active Directory) would be very useful.
If someone could document a configuration which uses IPSEC or OpenSSH
forwarding, that would be nice.
In future, maybe someone in OpenBSD or FreeBSD will implement things like
LDAP over SSL.
Peter Wemm
Jun 10, 2016, 10:29:28 AM6/10/16
to freebsd...@freebsd.org
On 6/9/16 6:49 PM, Matthew Seaman wrote:
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database. I believe it works with AD, but haven't tried that
> myself.
>
> Cheers,
>
> Matthew
>
>
We used nss-pam-ldapd quite successfully in the freebsd.org cluster during
our transition away from YP/NIS, for what it's worth.
--
Peter Wemm - pe...@wemm.org; pe...@FreeBSD.org; pe...@yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
> On 09/06/2016 18:34, Craig Rodrigues wrote:
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
>
> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
>
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database. I believe it works with AD, but haven't tried that
> myself.
>
> Cheers,
>
> Matthew
>
>
We used nss-pam-ldapd quite successfully in the freebsd.org cluster during
our transition away from YP/NIS, for what it's worth.
--
Peter Wemm - pe...@wemm.org; pe...@FreeBSD.org; pe...@yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
Jan Bramkamp
Jun 13, 2016, 8:46:27 AM6/13/16
to freebsd...@freebsd.org
On 10/06/16 16:29, Peter Wemm wrote:
> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>> On 09/06/2016 18:34, Craig Rodrigues wrote:
>>> There is still value to ypldap as it is now, and getting feedback from
>>> users (especially Active Directory) would be very useful.
>>> If someone could document a configuration which uses IPSEC or OpenSSH
>>> forwarding, that would be nice.
>>>
>>> In future, maybe someone in OpenBSD or FreeBSD will implement things
>>> like
>>> LDAP over SSL.
>>
>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>> transit, and I find it works very well for using OpenLDAP as a central
>> account database. I believe it works with AD, but haven't tried that
>> myself.
>>
>> Cheers,
>>
>> Matthew
>>
>>
>
> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
> during our transition away from YP/NIS, for what it's worth.
reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
directly inside slapd. This allows slapd to cache or replicate the data
locally without resorting to the broken nscd.
Eric van Gyzen
Jun 14, 2016, 1:25:37 PM6/14/16
to Matthew Seaman, freebsd...@freebsd.org
On 06/ 9/16 05:49 PM, Matthew Seaman wrote:
> On 09/06/2016 18:34, Craig Rodrigues wrote:
> On 09/06/2016 18:34, Craig Rodrigues wrote:
>> There is still value to ypldap as it is now, and getting feedback from
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
>> users (especially Active Directory) would be very useful.
>> If someone could document a configuration which uses IPSEC or OpenSSH
>> forwarding, that would be nice.
>>
>> In future, maybe someone in OpenBSD or FreeBSD will implement things like
>> LDAP over SSL.
> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database. I believe it works with AD, but haven't tried that
> myself.
nss-pam-ldapd works very well with Active Directory. At work, dozens of
> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
> transit, and I find it works very well for using OpenLDAP as a central
> account database. I believe it works with AD, but haven't tried that
> myself.
people use it on their workstations and hundreds of people use it on the
build servers. We've been doing this for years with no issues. Well,
we've caused some issues for ourselves, of course... ;)
Eric
Chris H
Jun 14, 2016, 8:17:36 PM6/14/16
to freebsd...@freebsd.org
On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujo...@gmail.com>
wrote
Honestly, I think the best way to motivate people to do the right thing(tm)
Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..
--Chris
wrote
Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..
--Chris
Marcelo Araujo
Jun 14, 2016, 9:06:02 PM6/14/16
to Chris H, freebsd-current
FreeBSD 12-RELEASE.
David Wolfskill
Jun 14, 2016, 9:22:32 PM6/14/16
to Chris H, freebsd...@freebsd.org
On Tue, Jun 14, 2016 at 05:17:19PM -0700, Chris H wrote:
> ...
"Safe" for what, precisely?
It's a lookup service. It is not limited to looking up authentication
information, and never has been.
And it's a mechanism that has been widely implemented.
The catchphrase "Tools, not policy" comes to mind.
Peace,
david
--
David H. Wolfskill da...@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
> ...
> Honestly, I think the best way to motivate people to do the right thing(tm)
> Would be to remove Yellow Pages from the tree, entirely. :-)
> It's been dead for *years*, and as you say, isn't safe, anyway..
> ....
> Would be to remove Yellow Pages from the tree, entirely. :-)
> It's been dead for *years*, and as you say, isn't safe, anyway..
"Safe" for what, precisely?
It's a lookup service. It is not limited to looking up authentication
information, and never has been.
And it's a mechanism that has been widely implemented.
The catchphrase "Tools, not policy" comes to mind.
Peace,
david
--
David H. Wolfskill da...@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
Daniel Braniss
Jun 15, 2016, 3:12:56 AM6/15/16
to cur...@freebsd.org, Chris H, freebsd...@freebsd.org
> On 15 Jun 2016, at 04:22, David Wolfskill <da...@catwhisker.org> wrote:
>
> On Tue, Jun 14, 2016 at 05:17:19PM -0700, Chris H wrote:
>> ...
>> Honestly, I think the best way to motivate people to do the right thing(tm)
>> Would be to remove Yellow Pages from the tree, entirely. :-)
>> It's been dead for *years*, and as you say, isn't safe, anyway..
>> ....
>
> "Safe" for what, precisely?
>
> It's a lookup service. It is not limited to looking up authentication
> information, and never has been.
>
> And it's a mechanism that has been widely implemented.
>
> The catchphrase "Tools, not policy" comes to mind.
>
> Peace,
> david
when:
ypserver not responding
was popular, and true, it’s not only for password/group.
my .5 cents
danny
Nikolai Lifanov
Jun 15, 2016, 8:04:22 AM6/15/16
to freebsd...@freebsd.org
on first boot without additional software. I have passwords in
Kerberos, so the usual cons doesn't apply. This is very valuable to me.
It's not hurting anyone. What's the motivation behind removing it?
Marcelo Araujo
Jun 15, 2016, 10:16:20 PM6/15/16
to Nikolai Lifanov, freebsd-current
No worries Nikolai! If one day I will do it, will be on 12-RELEASE.
Br,
Br,
Outback Dingo
Jun 15, 2016, 10:51:46 PM6/15/16
to ara...@freebsd.org, Nikolai Lifanov, freebsd-current
On Wed, Jun 15, 2016 at 10:15 PM, Marcelo Araujo <araujo...@gmail.com>
wrote:
Removing NIS is a BAD idea, there are still plenty of people that use it,
and plenty of businesses rely on it, I still hear people asking for it
wrote:
and plenty of businesses rely on it, I still hear people asking for it
Marcelo Araujo
Jun 15, 2016, 10:54:31 PM6/15/16
to Outback Dingo, Nikolai Lifanov, freebsd-current
I hear too!!! And that is why we are having this talk here around ypldap.
Best,
Best,
Chris H
Jun 16, 2016, 9:20:37 AM6/16/16
to freebsd...@freebsd.org
On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov <lif...@mail.lifanov.com>
wrote
In all honesty, my comment was somewhat tongue-in-cheek. But from
a purely maintenance POV, at this point in time. I think the Yellow
Pages are better suited for the ports tree, than in $BASE.
--Chris
wrote
a purely maintenance POV, at this point in time. I think the Yellow
Pages are better suited for the ports tree, than in $BASE.
--Chris
>
> >
> >>
> >> --Chris
> >>>
> >>>
> >>> Best,
> >>> --
> >>>
> >>> --
> >>> Marcelo Araujo (__)ara...@FreeBSD.org
> >
> >>
> >> --Chris
> >>>
> >>>
> >>> Best,
> >>> --
> >>>
> >>> --
> >>> Marcelo Araujo (__)ara...@FreeBSD.org
Alan Somers
Jun 18, 2016, 11:16:23 AM6/18/16
to Chris H, FreeBSD CURRENT
disabled in GENERIC. Does anybody know why it isn't enabled by
default?
-Alan
Jan Bramkamp
Jun 21, 2016, 11:55:41 AM6/21/16
to freebsd...@freebsd.org
rc.conf depending on your needs/preferences.
Alan Somers
Jun 21, 2016, 12:37:20 PM6/21/16
to Jan Bramkamp, FreeBSD CURRENT
default now. All of the very few NFSv4 guides I've found have
described including it in the kernel as a requirement.
https://code.google.com/archive/p/macnfsv4/wikis/FreeBSD8KerberizedNFSSetup.wiki
http://daemon-notes.com/articles/network/unix-lan/nfs
-Alan
Harry Schmalzbauer
Aug 5, 2016, 4:15:21 PM8/5/16
to Jan Bramkamp, FreeBSD current
Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime):
I was curious, so I made a patcheset which adds NSSOV config option to
net/openldap24-server.
Unfortunately I'm not getting results :(
I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl –
the same as defined for net/nss-pam-ldapd.
Just for testing, will consider reverting that because slapd drops
priviledges before creating the socket, so ldap needs write access to
/var/run...
Starting nslcd makes 'id ldapuser' return correct results.
Stopping nslcd and starting slapd (with verified configuration –
ldapsearch works as expected) just doesn't utilize slapd at all,
according to the logs.
Have you compiled the nss_ldap library from
contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port?
Thanks for hints,
-harry
>
>
> On 10/06/16 16:29, Peter Wemm wrote:
>> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>>> On 09/06/2016 18:34, Craig Rodrigues wrote:
>>>> There is still value to ypldap as it is now, and getting feedback from
>>>> users (especially Active Directory) would be very useful.
>>>> If someone could document a configuration which uses IPSEC or OpenSSH
>>>> forwarding, that would be nice.
>>>>
>>>> In future, maybe someone in OpenBSD or FreeBSD will implement things
>>>> like
>>>> LDAP over SSL.
>>>
>>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>>> transit, and I find it works very well for using OpenLDAP as a central
>>> account database. I believe it works with AD, but haven't tried that
>>> myself.
>>>
>>> Cheers,
>>>
>>> Matthew
>>>
>>>
>>
>> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
>> during our transition away from YP/NIS, for what it's worth.
>
> Did you try the OpenLDAP nssov overlay? It replaces nslcd by
> reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
> directly inside slapd. This allows slapd to cache or replicate the
> data locally without resorting to the broken nscd.
Hello,
>
> On 10/06/16 16:29, Peter Wemm wrote:
>> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>>> On 09/06/2016 18:34, Craig Rodrigues wrote:
>>>> There is still value to ypldap as it is now, and getting feedback from
>>>> users (especially Active Directory) would be very useful.
>>>> If someone could document a configuration which uses IPSEC or OpenSSH
>>>> forwarding, that would be nice.
>>>>
>>>> In future, maybe someone in OpenBSD or FreeBSD will implement things
>>>> like
>>>> LDAP over SSL.
>>>
>>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>>> transit, and I find it works very well for using OpenLDAP as a central
>>> account database. I believe it works with AD, but haven't tried that
>>> myself.
>>>
>>> Cheers,
>>>
>>> Matthew
>>>
>>>
>>
>> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
>> during our transition away from YP/NIS, for what it's worth.
>
> Did you try the OpenLDAP nssov overlay? It replaces nslcd by
> reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
> directly inside slapd. This allows slapd to cache or replicate the
> data locally without resorting to the broken nscd.
I was curious, so I made a patcheset which adds NSSOV config option to
net/openldap24-server.
Unfortunately I'm not getting results :(
I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl –
the same as defined for net/nss-pam-ldapd.
Just for testing, will consider reverting that because slapd drops
priviledges before creating the socket, so ldap needs write access to
/var/run...
Starting nslcd makes 'id ldapuser' return correct results.
Stopping nslcd and starting slapd (with verified configuration –
ldapsearch works as expected) just doesn't utilize slapd at all,
according to the logs.
Have you compiled the nss_ldap library from
contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port?
Thanks for hints,
-harry
0 new messages