[CFT] ypldap testing against OpenLDAP and Microsoft Active Directory

Harry Schmalzbauer freebsd at omnilan.de
Wed Aug 3 09:36:49 UTC 2016


 Bezüglich Craig Rodrigues's Nachricht vom 02.08.2016 22:31 (localtime):
> Thanks for the feedback.  Please consider posting your questions
> on freebsd-current so that other people can jump in and help
> answer your questions.
>
> I don't have an LDAP server to test against, so don't know the answer
> to all your questions.
>
> What type of LDAP server are you testing against?  Is it Active Directory?

Thanks for your response!
In this (productive) environment I use OpenLDAP with core, cosine, nis
and sambaSchema,
But I'd also have MS-Active Directories to test against, once I get it
working and switching to stable/11 in other setups too.

Found your question
https://reviews.freebsd.org/D4744#142095
which makes me wonder if ypldap(8) has been successfully used in FreeBSD
at all yet?

Unfortunately I don't have time to help finding integration problems and
I'm not familar with NIS subsystem at all, so all I can contribute is
questions :-(

And a short summary which might help others joining ypldap(8) testing
under FreeBSD-11:

– 'ypldap -vd' gives reasonable output and does query the LDAP server
defined in the directory "" {} section, where it looks you can use any
form of IP/hostname, including IPv6 addresses without any braces.
– If run in foreground, it registers service "ypserv" version 2 only
with rpcbind.
– 'ypcat passwd.byname' just doesn't work, same is true for 'id'. No
interaction at all with ypldap(8) seems to happen, no errors/results.
– When stopping ypldap(8) from foreground, it does NOT unregister ypserv
service!

The same is true if you run ypldap(8) in background, started without
running ypserv(8)

– If started by rc.d script, yp_serv_(8) registers service ypserv
version 1 and 2, before ypldap(8) overrides service ypserv version 2.
– 'ypcat passwd.byname' _sometimes_ responds with this error:
    clnttcp_create failed
    ypcat: no such map passwd.byname. Reason: Can't communicate with
portmapper
– ypldap(8) doesn't connect to the server at all when started by rc.d.
– When stopping ypldap(8) only, keeping ypserv (started by rc.d/ypldap)
running and starting ypldap(8) in the foreground, LDAP server connection
gets established and again sensible maps are shown, followed by regular:
    connecting to directories
    searching password entries
    searching group entries
  In that state ypcat results in:
    yp_all: clnt_call: RPC: Authentication error; why = Failed
(unspecified error)
    yp_all: clnt_call: RPC: Authentication error; why = Failed
(unspecified error)
    … repeat 19 more times …
    ypcat: no such map passwd.byname. Reason: RPC failure
– After some minutes, ypcat doesn't respond with any errors/results again.

ldap.conf(5) contradicts to
https://svnweb.freebsd.org/base?view=revision&revision=301480. The
latter (rc.d start script by Marcelo Araujo, CC'ed) starts ypserv(8) as
dependency, the former claims ypldap(8) and ypserv(8) are mutual exclusive.

Since I have no clue how ypldap(8) is designed to integrate with NIS/YP,
I don't know how to start finding the root of presently existing
problems – with or without ypserv(8)?!

Right now, ypldap(8) in stable/11 doesn't enable LDAP maintained users
for me.
This should either be solved before 11-RELEASE or, if _nobody_ else can
confirm it's working, /etc/rc.d/ypldap needs to be suspended for
11-RELEASE and live in CURRENT until functional.

Any hints very welcome, but for now I'll have to switch back to nslcd(8).

Since CURRENT turned to stable/11 in the meantime, I'm posting to
stable@ referencing the original post:
https://lists.freebsd.org/pipermail/freebsd-current/2016-June/061775.html


> On Tue, Aug 2, 2016 at 10:49 AM, Harald Schmalzbauer
> <h.schmalzbauer at omnilan.de <mailto:h.schmalzbauer at omnilan.de>> wrote:
>
>      Bezüglich Harald Schmalzbauer's Nachricht vom 02.08.2016 17:36
>     (localtime):
>
…
>
>     > How can I define the host to which ypldap connects for LDAP
>     queries? Is
>     > it "directory"? What syntax is allowed, FQDN, IPs, IP6-spelling?
>     >
>     > Tried a lot but always end up in ypldap[6960]: fatal: getpwnam:
>     Socket
>     > is not connected
>
>     Hello, I made some progress :-)
>
>     "fatal: getpwnam: Socket is not connected" was due to my outdated
>     master.passwd, missing the _ypldap account.
>     The "directory" seems to define the host to connect with any
>     adressing;
>     IPv6 adresses wok just as they are notated every where qre without any
>     braces. Will try to find out what about unqualified host names and
>     hosts
>     with A and AAAA records...
>
>     I couldn't figure out if ypserv(8) is needed to authenticate LDAP
>     users
>     on the local host, where ypldap(8) runs.
>
>     Running ypldap in foreground gives lot of reasonable output like
>     "pushing line: ..." with vaild content.
>     So contacting, binding and querying the LDAP seems to work :-)
>
>     Unfortunately 'ypcat passwd.byname' and 'id someldapuser' do not
>     work –
>     neither with ypserv started nor without.
>
>     Will look in the code again, perhaps I can find more hints. Any help
>     appreciated.
>
>     Thanks,
>
>     -Harry
>
>


More information about the freebsd-stable mailing list