Page MenuHomeFreeBSD

Fix ypldap(8) and turn it a feature ready.

Authored by araujo on Dec 31 2015, 6:02 AM.
Referenced Files
Unknown Object (File)
Thu, Jul 18, 11:59 AM
Unknown Object (File)
Mon, Jul 8, 2:13 AM
Unknown Object (File)
Wed, Jul 3, 1:12 AM
Unknown Object (File)
Wed, Jul 3, 12:22 AM
Unknown Object (File)
Sun, Jun 30, 12:18 PM
Unknown Object (File)
Sun, Jun 30, 8:30 AM
Unknown Object (File)
Sat, Jun 29, 12:38 PM
Unknown Object (File)
Sat, Jun 29, 8:56 AM



I have fixed the ypldap(8) as well as I have added an example of
configuration file. Also I need to added a new user for ypldap(8).

I have updated the man 5 ypldap.conf to reflect the example file.
I have updated the UPDATE files too, because of the new user.

Test Plan
  • Setup a openldap server.
  • Setup a NIS server.
  • Setup the ypldap.conf.
  • Run ypldap in debug mode.
  • Check if the users and groups of my NIS were sent to ldap server.

Output of ypldap:
araujo@coxinha:/usr/src# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees

Next step:
Write an article about how to use ypldap(8), or try to push some
doc committers to do that for me. :)

Diff Detail

rS FreeBSD src repository - subversion
Lint Not Applicable
Tests Not Applicable

Event Timeline

araujo retitled this revision from to Fix ypldap(8) and turn it a feature ready..
araujo updated this object.
araujo edited the test plan for this revision. (Show Details)
araujo added reviewers: rodrigc, bapt.
bapt requested changes to this revision.Dec 31 2015, 9:39 AM
bapt edited edge metadata.

I do not get it, basically to make it work you removed all the code to drop priviledges, please give more information about why you did those changes

89 ↗(On Diff #11812)


This revision now requires changes to proceed.Dec 31 2015, 9:39 AM
bjk added inline comments.
24 ↗(On Diff #11812)

The following text is a DESCRIPTION, not a SYNOPSIS.

araujo edited edge metadata.

Address @bjk comments.

araujo edited edge metadata.

Bring back the priviledges, it was previous droped because
the _ypldap user I set to don't have any home directory and
in that case, I can't do chroot. But now the home directory
is /var/empty done in the same way as in OpenBSD, and it is
possible to chroot it.

araujo edited edge metadata.

Added /var/empty as home user for _ypldap.
It will let us be able to chroot it.

89 ↗(On Diff #11836)

There are two ways to do it:

  1. if use select(2) where we use FD_ISSET we can't calloc all the getdtablesize() and instead, we need calloc the maximum that is FD_SETSIZE 1024 FD.
  1. If we want to use getdtablesize() we can calloc all of it, but can't check the FD_ISSET.

So, for safety and as it works properly, I choose to use FD_ISSET that has a size of 1024 for the FD. Instead of to choose getdtablesize(), although getdtablesize() for me will be better than FD_ISSET, as getdtablesize() can be tuned. But, needs to remove FD_ISSET.

Both ways I'm ok with it. If you think the tuned one is prefered, I can change the code to use getdtablesize() without any problem, as it works too. However, getdtablesize() will be slower than FD_SETSIZE and we might don't need calloc so much.

26 ↗(On Diff #11837)

This number is too high OpenBSD uses 93. Why not use that, or some lower number.

26 ↗(On Diff #11837)

It is possible. I didn't choose another number, because I didn't understand what is the rule to allocate these numbers for a new user. If there is no objection, I can use 93 as you mention.


26 ↗(On Diff #11837)

Can you separate master.passwd change into a separate review? I don't know what the rules are either
for allocating a new userid here, but having a separate review will make it easier to get feedback from people who don't care about ypldap. :)

26 ↗(On Diff #11837)

I have sent an email to developers@ asking if there is any rule to choose the UID/GID for special users.

I'm gonna wait a bit till I get a reply, if no reply, I will split the master.passwd from ypldap patch.

Best and Thanks.

araujo edited edge metadata.

Update the _ypldap user UID/GID to 93, the same UID/GID used on OpenBSD.

bapt edited edge metadata.
This revision is now accepted and ready to land.Jan 10 2016, 2:46 PM
This revision was automatically updated to reflect the committed changes.

I see you already committed your changes,
but can you change this code so that it works with getdtablesize()?
It is not a big change, but it would be slightly better and closer to OpenBSD.


Yeap, it is possible to do! The only small thing is getdtablesize() is a bit slower than FD, but not a big difference.

I will do the change and send a patch for review very soon.


@araujo There is no rc.d script for ypldap. Do you think you have time to write one up before the FreeBSD 11 code freeze?
OpenBSD has a script:
but their startup script system is different from FreeBSD.

@rodrigc yes, I will have time during this week to make this rc.d script.

Thanks for the remind :)

@araujo Thanks. code freeze is June 10, so try to finish it before that.

@araujo Thanks for the rc.d script in rS301480 . Can you modify the ypldap.8 man page and in the HISTORY section, add a sentence to mention that ypldap first appeared in FreeBSD 11?

Also, can you update the rc.conf.5 man page to have the settings for the ypldap script that you created?


@araujo Thanks for the rc.d script in rS301480 . Can you modify the ypldap.8 man page and in the HISTORY section, add a sentence to mention that ypldap first appeared in FreeBSD 11?

Also, can you update the rc.conf.5 man page to have the settings for the ypldap script that you created?


Hey @rodrigc,

Thanks to point out these missing parts.
I just committed it few seconds ago.

All the best.

Thanks for this. Have you tested ypldap authentication on FreeBSD against a real LDAP server?
Has anyone tried ypldap against Active Directory?