For the past three months our small academic lab has used LDAP server from the base of OpenBSD to authenticate users. All our computing nodes and desktops run RedHat Linux while file servers run FreeNAS. Getting them to authenticate users using OpenBSD LDAP directory server was a breeze. Today I set myself one task, which was to create an OpenBSD amd64 5.4 shell gateway to the lab. After about 30 minutes I had fully functional gateway to which I could log using local credentials. I spent the rest of the day trying in vain to enable LDAP authentication on the gateway.
I started by reading man pages for ypldap and ypldap.conf as well as 10.19 Directory services from FAQ but quickly realized that I might need little bit more reading. So in violation of common recommendation I went and read http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html I adapted the above blog to my needs as follows: I added ldap:\ :auth=-ldap:\ :x-ldap-server=atlas.int.autonlab.org,,starttls:\ :x-ldap-basedn=dc=autonlab,dc=org:\ :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\ :tc=default: to /etc/login.conf Edited /etc/openldap/ldap.conf as follows BASE dc=autonlab,dc=org URI ldap://atlas.int.autonlab.org:389 SIZELIMIT 12 TIMELIMIT 15 DEREF never SSL START_TLS TLS_REQCERT allow TLS_CACERT /etc/openldap/certs/ca.crt TLS_CACERTDIR /etc/openldap/certs TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 and edited /etc/ypldap.conf as: # $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $ domain "autonlab.org" interval 60 provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" provide map "group.bygid" # provide map "netid.byname" directory "atlas.int.autonlab.org" { # directory options binddn "cn=admin,dc=autonlab,dc=org" basedn "dc=autonlab,dc=org" # basedn "ou=users,dc=autonlab,dc=org" # starting point for groups directory search, default to basedn # groupdn "ou=group,dc=autonlab,dc=org" # passwd maps configuration (RFC 2307 posixAccount object class) passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute gecos maps to "cn" attribute home maps to "homeDirectory" attribute shell maps to "loginShell" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "" # group maps configuration (RFC 2307 posixGroup object class) group filter "(objectClass=posixGroup)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" attribute groupgid maps to "gidNumber" # memberUid returns multiple group members list groupmembers maps to "memberUid" } >From that point on I could do ldapsearch, I could /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap without a glitch and running ypldap -dv was pushing usernames and their uidNumbers. The minor nunsense was finding this in /var/log/messages May 27 23:36:27 shell ypldap[5839]: main: user: predrag is referenced \ as a group member, but can't be found in the users map. I was also able to run su - predrag and get loged in but could not make much sense of steps 3 and 4 of the article http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html which is clearly related to my inability to use LDAP password to ssh into shell gateway. After starting portmap and ypldap I could start ypbind but ypserv and yppasswdd daemons would fail to start to me due to the obvious reason that my defaultdomain has no YP servers. I am even more confused by the following sentence from FAQ " To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter. " Which seems to indicate that I just need ypldap as a front end to my LDAP server. Could a kind soul give me some directions and point the mistakes I am making? I am sure I am not the only one who is trying to use LDAP directory services to log into my OpenBSD box. Thank you, Predrag
