Re: Authentication with LDAP on OpenBSD

Wed, 28 May 2014 05:49:38 -0700 

On Wed, May 28, 2014 at 2:39 PM, Matthew Weigel <[email protected]> wrote:
> On 05/27/2014 10:50 PM, Predrag Punosevac wrote:
>
>> and edited /etc/ypldap.conf as:
>>
>> # $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $
>>
>> domain          "autonlab.org"
>> interval        60
>> provide map     "passwd.byname"
>> provide map     "passwd.byuid"
>> provide map     "group.byname"
>> provide map     "group.bygid"
>> # provide map   "netid.byname"
>>
>> directory "atlas.int.autonlab.org" {
>>          # directory options
>>          binddn "cn=admin,dc=autonlab,dc=org"
>>          basedn "dc=autonlab,dc=org"
>>          # basedn "ou=users,dc=autonlab,dc=org"
>>          # starting point for groups directory search, default to basedn
>>          # groupdn "ou=group,dc=autonlab,dc=org"
>>
>>          # passwd maps configuration (RFC 2307 posixAccount object class)
>>          passwd filter "(objectClass=posixAccount)"
>>
>>          attribute name maps to "uid"
>>          fixed attribute passwd "*"
>>          attribute uid maps to "uidNumber"
>>          attribute gid maps to "gidNumber"
>>          attribute gecos maps to "cn"
>>          attribute home maps to "homeDirectory"
>>          attribute shell maps to "loginShell"
>>          fixed attribute change "0"
>>          fixed attribute expire "0"
>>          fixed attribute class ""
>
>            ^^^^^^^^^^^^^^^^^^^^^^^^
>
> That should be the login class you created in login.conf that authenticates
> via LDAP (in your case, "ldap").
>
> Speaking somewhat vaguely, the way this *should* work is that when the
> username is supplied, the system looks up the user to determine the login
> class to determine how to proceed with authentication.  With users coming
> from ypldap, it should set the class to one that you've configured to
> authenticate via login_ldap.
>
>
>>  From that point on I could do ldapsearch,
>> I could  /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap without
>
>
> (see?  That last argument is specifying the login class, which is why it
> works)
>
>
>> and get loged in but could not make much sense of steps 3 and 4 of the
>> article
>>
>>
>> http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html
>
>
> In your case /etc/defaultdomain should probably contain "autonlab.org"

Or you can use:

echo "kernel.domainname=autonlab.org" >> /etc/sysctl.conf

Ciao,
David

Reply via email to