On 18/06/16 17:15, Alan Somers wrote:
On Thu, Jun 16, 2016 at 7:20 AM, Chris H <bsd-li...@bsdforge.com> wrote:
On Wed, 15 Jun 2016 08:03:55 -0400 Nikolai Lifanov <lifa...@mail.lifanov.com>
wrote
On 06/14/2016 21:05, Marcelo Araujo wrote:
2016-06-15 8:17 GMT+08:00 Chris H <bsd-li...@bsdforge.com>:
On Thu, 9 Jun 2016 17:55:58 +0800 Marcelo Araujo <araujobsdp...@gmail.com>
wrote
Hey,
Thanks for the CFT Craig.
2016-06-09 14:41 GMT+08:00 Xin Li <delp...@delphij.net>:
On 6/8/16 23:10, Craig Rodrigues wrote:
Hi,
I have worked with Marcelo Araujo to port OpenBSD's ypldap to FreeBSD
current.
In latest current, it should be possible to put in /etc/rc.conf:
nis_ypldap_enable="YES"
to activate the ypldap daemon.
When set up properly, it should be possible to log into FreeBSD, and
have
the backend password database come from an LDAP database such
as OpenLDAP
There is some documentation for setting this up, but it is OpenBSD
specific:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
http://puffysecurity.com/wiki/ypldap.html#2
I did not bother porting the OpenBSD LDAP server to FreeBSD, so that
information
does not apply. I figure that openldap from ports should work fine.
I was wondering if there is someone out there familiar enough with
LDAP
and has a setup they can test this stuff out with, provide feedback,
and
help
improve the documentation for FreeBSD?
Looks like it would be a fun weekend project. I've cc'ed a potential
person who may be interested in this as well.
But will this worth the effort? (I think the current implementation
would do everything with plaintext protocol over wire, so while it
extends life for legacy applications that are still using NIS/YP, it
doesn't seem to be something that we should recommend end user to use?)
I can see two good point to use ypldap that would be basically for users
that needs to migrate from NIS to LDAP or need to make some integration
between legacy(NIS) and LDAP during a transition period to LDAP.
As mentioned, NIS is 'plain text' not safe by its nature, however there
are
still lots of people out there using NIS, and ypldap(8) is a good tool to
help these people migrate to a more safe tool like LDAP.
I would also be interested in hearing from someone who can see if
ypldap can work against a Microsoft Active Directory setup?
Cheers,
All my tests were using OpenLDAP, I used the OpenBSD documentation to
setup
everything, and the file share/examples/ypldap/ypldap.conf can be a good
start to anybody that wants to start to work with ypldap(8).
Would be nice hear from other users how was their experience using ypldap
with MS Active Directory and perhaps some HOWTO how they made all the
setup
would be amazing to have.
Also, would be useful to know who are still using NIS and what kind of
setup(user case), maybe even the reason why they are still using it.
Honestly, I think the best way to motivate people to do the right
thing(tm) Would be to remove Yellow Pages from the tree, entirely. :-)
It's been dead for *years*, and as you say, isn't safe, anyway..
Yes, I have a plan for that, but I don't believe it will happens before
FreeBSD 12-RELEASE.
Please don't, at least for now. NIS is fast, simple, reliable, and works
on first boot without additional software. I have passwords in
Kerberos, so the usual cons doesn't apply. This is very valuable to me.
It's not hurting anyone. What's the motivation behind removing it?
In all honesty, my comment was somewhat tongue-in-cheek. But from
a purely maintenance POV, at this point in time. I think the Yellow
Pages are better suited for the ports tree, than in $BASE.
It will be hard to wean people off of NIS as long as KGSSAPI is
disabled in GENERIC. Does anybody know why it isn't enabled by
default?
Because it's just a `kldload kgssapi` away. Put it in loader.conf or
rc.conf depending on your needs/preferences.
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
