preamble
common case: you have LDAP server and want to use it to authorize your users on OpenBSD.
First thing is to understand if you really want to use LDAP server for authorization due to OpenBSD doesn’t have build-in support for it.
But has such support for many others authorization styles:
# passwd local password file
# krb5 Kerberos V password
# radius radius authentication
# skey S/Key authentication
# activ activCard X9.9 token authentication
# crypto CRYPTOCard X9.9 token authentication
# snk Digital Pathways SecureNet Key authentication
# token Generic X9.9 token authentication
see for details: man login.conf
setup as pain
1. login_ldap – contact ldap directory server for authentication
install login_ldap package:
# pkg_add -iv login_ldap
use example files in: [/usr/local/share/examples/login_ldap/]
configure it in /etc/login.conf
you should add something like this:
1 2 3 4 5 6 | ldap:\ :auth=-ldap:\ :x-ldap-server=127.0.0.1,,ssl:\ :x-ldap-basedn=ou=Users,ou=auth,dc=helion-prime,dc=com:\ :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\ :tc=default: |
look for details: man login_ldap
test it with: # /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap
2. ypldap – YP map server using LDAP backend (provide users’ info)
as OpenBSD has great support for YP using of ypldap provides soft integration of LDAP server.
use example in man: man ypldap.conf
configure it in /etc/ypldap.conf
you should have something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | interval 100 domain "helion-prime.com" provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" provide map "group.bygid" directory "127.0.0.1" { # directory options binddn "cn=Manager,dc=helion-prime,dc=com" bindcred "password" #we don't need it if anonymous searches are allowed basedn "ou=Users,ou=auth,dc=helion-prime,dc=com" # passwd maps configuration passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" # we do no need passwords - we use login_ldap for authentication attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute gecos maps to "cn" attribute home maps to "homeDirectory" fixed attribute shell "/bin/ksh" # no bash in default install (check it) fixed attribute change "0" # we can have issues with time format (check it) fixed attribute expire "0" # we can have issues with time format (check it) fixed attribute class "ldap" # class of login.conf # group maps configuration group filter "(objectClass=posixGroup)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" attribute groupgid maps to "gidNumber" list groupmembers maps to "memberUid" } |
test it with: # ypldap -dv
as ypldad currently doesn’t support ldap over ssl, you should configure your ldap server to listen over regular ldap.
I believe developer soon will create appropriate support for it.
3. ypbind – create and maintain a binding to a YP server
add your domainname to /etc/defaultdomain
# echo DOMAINNAME > /etc/defaultdomain
the standard way to enable YP passwd support in /etc/master.passwd is to add string: +:::::::::/bin/ksh
use vipw to edit master.passwd
see for details: man 5 passwd
same with groups:
# echo “+:::” >> /etc/group
see for details: man 5 group
4. automate execution
worst part is: we should modify: /etc/rc script
1 2 3 4 5 6 7 8 9 10 11 12 | if [ X`domainname` != X ]; then if [ -d /var/yp/`domainname` ]; then # YP server capabilities needed... echo -n ' ypserv'; ypserv ${ypserv_flags} #echo -n ' ypxfrd'; ypxfrd fi #if [ -d /var/yp/binding ]; then # # YP client capabilities needed... # echo -n ' ypbind'; ypbind #fi .... |
second entry will run ypbind before ypldap that we exec according to OpenBSD rules in rc.local
Then we should add something like this to: /etc/rc/local
1 2 3 4 5 6 7 | if [ X"${ypldap_flags}" != X"NO" ]; then echo -n ' ypldap'; /usr/sbin/ypldap ${ypldap_flags} 1> /dev/null & fi if [ -d /var/yp/binding ]; then echo -n ' ypbind'; ypbind fi |
And to /etc/rc.conf.local:
1 2 | portmap=YES ypldap_flags="" |
When I review text I see that it is quite easy and it is hard to believe someone can spend more then hour on this ..
Good luck, guys..