On 05/27/2014 10:50 PM, Predrag Punosevac wrote:
and edited /etc/ypldap.conf as:
# $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $
domain "autonlab.org"
interval 60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
# provide map "netid.byname"
directory "atlas.int.autonlab.org" {
# directory options
binddn "cn=admin,dc=autonlab,dc=org"
basedn "dc=autonlab,dc=org"
# basedn "ou=users,dc=autonlab,dc=org"
# starting point for groups directory search, default to
basedn
# groupdn "ou=group,dc=autonlab,dc=org"
# passwd maps configuration (RFC 2307 posixAccount object
class)
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class ""
^^^^^^^^^^^^^^^^^^^^^^^^
That should be the login class you created in login.conf that
authenticates via LDAP (in your case, "ldap").
Speaking somewhat vaguely, the way this *should* work is that when the
username is supplied, the system looks up the user to determine the
login class to determine how to proceed with authentication. With users
coming from ypldap, it should set the class to one that you've
configured to authenticate via login_ldap.
From that point on I could do ldapsearch,
I could /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap
without
(see? That last argument is specifying the login class, which is why it
works)
and get loged in but could not make much sense of steps 3 and 4 of the
article
http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html
In your case /etc/defaultdomain should probably contain "autonlab.org"
The lines in /etc/master.passwd and /etc/group are necessary to tell
login to do YP lookups.
which is clearly related to my inability to use LDAP password to ssh
into shell gateway. After starting portmap and ypldap I could start
ypbind but ypserv and yppasswdd daemons would fail to start to me due
to
the obvious reason that my defaultdomain has no YP servers.
The first paragraph of ypldap(8)'s description ends with "ypldap has the
same role as ypserv(8) and the two daemons are exclusive." So don't run
ypserv, just run ypldap and ypbind.
You also can't run yppasswdd(8) in this context, because yppasswdd only
knows how to change local (to the server) accounts. Unfortunately there
isn't an LDAP version of yppasswdd(8) at the moment, nor does base
ldapd(8) support the necessary LDAP extensions for simple password
change.
It's something I've put some effort into, but I haven't had time to
progress on it in quite a while.
" To use other directory services except YP, you either need to
populate
local configuration files from the directory, or you need a YP frontend
to the directory. For example, you can use the sysutils/login_ldap port
when you choose the former, while the ypldap(8) daemon provides the
latter. "
Which seems to indicate that I just need ypldap as a front end to my
LDAP server.
That is poorly worded for sure. I think right now the best combination
is the one you're trying, login_ldap and ypldap together.
--
Matthew Weigel
hacker
unique & idempot . ent
