Matthew Weigel <[email protected]> wrote: > On 05/27/2014 10:50 PM, Predrag Punosevac wrote: > > > and edited /etc/ypldap.conf as: > > > > # $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $ > > > > domain "autonlab.org" > > interval 60 > > provide map "passwd.byname" > > provide map "passwd.byuid" > > provide map "group.byname" > > provide map "group.bygid" > > # provide map "netid.byname" > > > > directory "atlas.int.autonlab.org" { > > # directory options > > binddn "cn=admin,dc=autonlab,dc=org" > > basedn "dc=autonlab,dc=org" > > # basedn "ou=users,dc=autonlab,dc=org" > > # starting point for groups directory search, default to > > basedn > > # groupdn "ou=group,dc=autonlab,dc=org" > > > > # passwd maps configuration (RFC 2307 posixAccount object > > class) > > passwd filter "(objectClass=posixAccount)" > > > > attribute name maps to "uid" > > fixed attribute passwd "*" > > attribute uid maps to "uidNumber" > > attribute gid maps to "gidNumber" > > attribute gecos maps to "cn" > > attribute home maps to "homeDirectory" > > attribute shell maps to "loginShell" > > fixed attribute change "0" > > fixed attribute expire "0" > > fixed attribute class "" > ^^^^^^^^^^^^^^^^^^^^^^^^ > > That should be the login class you created in login.conf that > authenticates via LDAP (in your case, "ldap"). > > Speaking somewhat vaguely, the way this *should* work is that when the > username is supplied, the system looks up the user to determine the > login class to determine how to proceed with authentication. With users > coming from ypldap, it should set the class to one that you've > configured to authenticate via login_ldap. >
Spot on!!! Authentication with LDAP now works perfectly on this OpenBSD machine. > > From that point on I could do ldapsearch, > > I could /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap > > without > > (see? That last argument is specifying the login class, which is why it > works) > > > and get loged in but could not make much sense of steps 3 and 4 of the > > article > > > > http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html > > In your case /etc/defaultdomain should probably contain "autonlab.org" > > The lines in /etc/master.passwd and /etc/group are necessary to tell > login to do YP lookups. > I should have been more clear. I made those changes but I could not make much sense of the first one i.e. editing /etc/defaultdomain. Editing /etc/master.passwd and /etc/group kind made sense but now it is cristal clear. > > which is clearly related to my inability to use LDAP password to ssh > > into shell gateway. After starting portmap and ypldap I could start > > ypbind but ypserv and yppasswdd daemons would fail to start to me due > > to > > the obvious reason that my defaultdomain has no YP servers. > > The first paragraph of ypldap(8)'s description ends with "ypldap has the > same role as ypserv(8) and the two daemons are exclusive." So don't run > ypserv, just run ypldap and ypbind. > > You also can't run yppasswdd(8) in this context, because yppasswdd only > knows how to change local (to the server) accounts. Unfortunately there > isn't an LDAP version of yppasswdd(8) at the moment, nor does base > ldapd(8) support the necessary LDAP extensions for simple password > change. > > It's something I've put some effort into, but I haven't had time to > progress on it in quite a while. > > > " To use other directory services except YP, you either need to > > populate > > local configuration files from the directory, or you need a YP frontend > > to the directory. For example, you can use the sysutils/login_ldap port > > when you choose the former, while the ypldap(8) daemon provides the > > latter. " > > > > Which seems to indicate that I just need ypldap as a front end to my > > LDAP server. > > That is poorly worded for sure. I think right now the best combination > is the one you're trying, login_ldap and ypldap together. > > -- The technical competence and willingness to share the knowledge of the subscribers to misc@openbsd never cease to amaze me. Matt thank you so much for your work and willingness to share the knowledge ! You made my day. I apologize I could not send this e-mail earlier due to my work schedule. Predrag > Matthew Weigel > hacker > unique & idempot . ent
