Page MenuHomeFreeBSD

Fix ypldap(8) and turn it a feature ready.
ClosedPublic

Authored by araujo on Dec 31 2015, 6:02 AM.

Details

Summary

I have fixed the ypldap(8) as well as I have added an example of
configuration file. Also I need to added a new user for ypldap(8).

I have updated the man 5 ypldap.conf to reflect the example file.
I have updated the UPDATE files too, because of the new user.

Test Plan
  • Setup a openldap server.
  • Setup a NIS server.
  • Setup the ypldap.conf.
  • Run ypldap in debug mode.
  • Check if the users and groups of my NIS were sent to ldap server.

Output of ypldap:
araujo@coxinha:/usr/src# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees

Next step:
Write an article about how to use ypldap(8), or try to push some
doc committers to do that for me. :)

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

araujo retitled this revision from to Fix ypldap(8) and turn it a feature ready..Dec 31 2015, 6:02 AM
araujo updated this object.
araujo edited the test plan for this revision. (Show Details)
araujo added reviewers: rodrigc, bapt.
araujo updated this revision to Diff 11812.
bapt edited edge metadata.Dec 31 2015, 9:39 AM
bapt requested changes to this revision.

I do not get it, basically to make it work you removed all the code to drop priviledges, please give more information about why you did those changes

usr.sbin/ypldap/yp.c
89 ↗(On Diff #11812)

Why?

This revision now requires changes to proceed.Dec 31 2015, 9:39 AM
bjk added a subscriber: bjk.Dec 31 2015, 9:21 PM
bjk added inline comments.
usr.sbin/ypldap/ypldap.conf.5
24 ↗(On Diff #11812)

The following text is a DESCRIPTION, not a SYNOPSIS.

araujo edited edge metadata.Jan 1 2016, 3:09 AM
araujo updated this revision to Diff 11835.

Address @bjk comments.

araujo edited edge metadata.Jan 1 2016, 3:39 AM
araujo updated this revision to Diff 11836.

Bring back the priviledges, it was previous droped because
the _ypldap user I set to don't have any home directory and
in that case, I can't do chroot. But now the home directory
is /var/empty done in the same way as in OpenBSD, and it is
possible to chroot it.

araujo edited edge metadata.Jan 1 2016, 5:05 AM
araujo updated this revision to Diff 11837.

Added /var/empty as home user for _ypldap.
It will let us be able to chroot it.

araujo added inline comments.Jan 1 2016, 5:07 AM
usr.sbin/ypldap/yp.c
89 ↗(On Diff #11836)

There are two ways to do it:

  1. if use select(2) where we use FD_ISSET we can't calloc all the getdtablesize() and instead, we need calloc the maximum that is FD_SETSIZE 1024 FD.
  1. If we want to use getdtablesize() we can calloc all of it, but can't check the FD_ISSET.

So, for safety and as it works properly, I choose to use FD_ISSET that has a size of 1024 for the FD. Instead of to choose getdtablesize(), although getdtablesize() for me will be better than FD_ISSET, as getdtablesize() can be tuned. But, needs to remove FD_ISSET.

Both ways I'm ok with it. If you think the tuned one is prefered, I can change the code to use getdtablesize() without any problem, as it works too. However, getdtablesize() will be slower than FD_SETSIZE and we might don't need calloc so much.

rodrigc added inline comments.Jan 7 2016, 3:00 AM
etc/master.passwd
26 ↗(On Diff #11837)

This number is too high OpenBSD uses 93. Why not use that, or some lower number.

araujo added inline comments.Jan 7 2016, 3:02 AM
etc/master.passwd
26 ↗(On Diff #11837)

It is possible. I didn't choose another number, because I didn't understand what is the rule to allocate these numbers for a new user. If there is no objection, I can use 93 as you mention.

Thanks.

rodrigc added inline comments.Jan 7 2016, 3:11 AM
etc/master.passwd
26 ↗(On Diff #11837)

Can you separate master.passwd change into a separate review? I don't know what the rules are either
for allocating a new userid here, but having a separate review will make it easier to get feedback from people who don't care about ypldap. :)

araujo added inline comments.Jan 7 2016, 3:50 AM
etc/master.passwd
26 ↗(On Diff #11837)

I have sent an email to developers@ asking if there is any rule to choose the UID/GID for special users.

I'm gonna wait a bit till I get a reply, if no reply, I will split the master.passwd from ypldap patch.

Best and Thanks.

araujo edited edge metadata.Jan 8 2016, 3:33 AM
araujo updated this revision to Diff 12033.

Update the _ypldap user UID/GID to 93, the same UID/GID used on OpenBSD.

bapt edited edge metadata.Jan 10 2016, 2:46 PM
bapt accepted this revision.
This revision is now accepted and ready to land.Jan 10 2016, 2:46 PM
This revision was automatically updated to reflect the committed changes.
rodrigc added inline comments.Jan 14 2016, 1:09 AM
head/usr.sbin/ypldap/yp.c
89

I see you already committed your changes,
but can you change this code so that it works with getdtablesize()?
It is not a big change, but it would be slightly better and closer to OpenBSD.

araujo added inline comments.Jan 15 2016, 5:50 AM
head/usr.sbin/ypldap/yp.c
89

Yeap, it is possible to do! The only small thing is getdtablesize() is a bit slower than FD, but not a big difference.

I will do the change and send a patch for review very soon.

Best.

rodrigc edited edge metadata.May 28 2016, 5:21 AM

@araujo There is no rc.d script for ypldap. Do you think you have time to write one up before the FreeBSD 11 code freeze?
OpenBSD has a script: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/ypldap
but their startup script system is different from FreeBSD.

@rodrigc yes, I will have time during this week to make this rc.d script.

Thanks for the remind :)

@araujo Thanks. code freeze is June 10, so try to finish it before that.

rodrigc added a comment.EditedJun 6 2016, 9:40 PM

@araujo Thanks for the rc.d script in rS301480 . Can you modify the ypldap.8 man page and in the HISTORY section, add a sentence to mention that ypldap first appeared in FreeBSD 11?

Also, can you update the rc.conf.5 man page to have the settings for the ypldap script that you created?

Thanks.

araujo added a comment.Jun 7 2016, 1:00 AM

@araujo Thanks for the rc.d script in rS301480 . Can you modify the ypldap.8 man page and in the HISTORY section, add a sentence to mention that ypldap first appeared in FreeBSD 11?
Also, can you update the rc.conf.5 man page to have the settings for the ypldap script that you created?
Thanks.

Hey @rodrigc,

Thanks to point out these missing parts.
I just committed it few seconds ago.

All the best.

Thanks for this. Have you tested ypldap authentication on FreeBSD against a real LDAP server?
Has anyone tried ypldap against Active Directory?