[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Harry Schmalzbauer freebsd at omnilan.de
Fri Aug 5 19:22:13 UTC 2016

 Bezüglich Jan Bramkamp's Nachricht vom 13.06.2016 14:46 (localtime):
> On 10/06/16 16:29, Peter Wemm wrote:
>> On 6/9/16 6:49 PM, Matthew Seaman wrote:
>>> On 09/06/2016 18:34, Craig Rodrigues wrote:
>>>> There is still value to ypldap as it is now, and getting feedback from
>>>> users (especially Active Directory) would be very useful.
>>>> If someone could document a configuration which uses IPSEC or OpenSSH
>>>> forwarding, that would be nice.
>>>> In future, maybe someone in OpenBSD or FreeBSD will implement things
>>>> like
>>>> LDAP over SSL.
>>> What advantages does ypldap offer over nss-pam-ldapd (in ports) ?
>>> nss-pam-ldapd can use both ldap+STARTTLS or ldaps to encrypt data in
>>> transit, and I find it works very well for using OpenLDAP as a central
>>> account database. I believe it works with AD, but haven't tried that
>>> myself.
>>> Cheers,
>>> Matthew
>> We used nss-pam-ldapd quite successfully in the freebsd.org cluster
>> during our transition away from YP/NIS, for what it's worth.
> Did you try the OpenLDAP nssov overlay? It replaces nslcd by
> reimplementing the protocol spoken between nslcd and nss_ldap/pam_ldap
> directly inside slapd. This allows slapd to cache or replicate the
> data locally without resorting to the broken nscd.


I was curious, so I made a patcheset which adds NSSOV config option to

Unfortunately I'm not getting results :(

I decided to compile nssov.la with -DNSLCD_SOCKET=/var/run/nscld.ctl –
the same as defined for net/nss-pam-ldapd.
Just for testing, will consider reverting that because slapd drops
priviledges before creating the socket, so ldap needs write access to

Starting nslcd makes 'id ldapuser' return correct results.
Stopping nslcd and starting slapd (with verified configuration –
ldapsearch works as expected) just doesn't utilize slapd at all,
according to the logs.

Have you compiled the nss_ldap library from
contrib/slapd-modules/nssov/nss-pam-ldapd/ or do you also use the port?

Thanks for hints,


More information about the freebsd-current mailing list