Helion-Prime Solutions blog » ypldap http://blogs.helion-prime.com Just another WordPress weblog Sun, 18 Dec 2011 13:27:07 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Authorization with LDAP on OpenBSD http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html#comments Thu, 07 May 2009 11:22:46 +0000 vasiliy.kiryanov http://blogs.helion-prime.com/?p=486 preamble

common case: you have LDAP server and want to use it to authorize your users on OpenBSD.

First thing is to understand if you really want to use LDAP server for authorization due to OpenBSD doesn’t have build-in support for it.

But has such support for many others authorization styles:
# passwd local password file
# krb5 Kerberos V password
# radius radius authentication
# skey S/Key authentication
# activ activCard X9.9 token authentication
# crypto CRYPTOCard X9.9 token authentication
# snk Digital Pathways SecureNet Key authentication
# token Generic X9.9 token authentication

see for details: man login.conf

setup as pain

1. login_ldap – contact ldap directory server for authentication

install login_ldap package:
# pkg_add -iv login_ldap

use example files in: [/usr/local/share/examples/login_ldap/]
configure it in /etc/login.conf

you should add something like this:

1
2
3
4
5
6
ldap:\
        :auth=-ldap:\
        :x-ldap-server=127.0.0.1,,ssl:\
        :x-ldap-basedn=ou=Users,ou=auth,dc=helion-prime,dc=com:\
        :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
        :tc=default:

look for details: man login_ldap

test it with: # /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap

2. ypldap – YP map server using LDAP backend (provide users’ info)

as OpenBSD has great support for YP using of ypldap provides soft integration of LDAP server.

use example in man: man ypldap.conf
configure it in /etc/ypldap.conf

you should have something like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
interval 100
domain "helion-prime.com"

provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"

directory "127.0.0.1" {
   # directory options
   binddn "cn=Manager,dc=helion-prime,dc=com"
   bindcred "password" #we don't need it if anonymous searches are allowed
   basedn "ou=Users,ou=auth,dc=helion-prime,dc=com"

   # passwd maps configuration
   passwd filter "(objectClass=posixAccount)"

   attribute name maps to "uid"
   fixed attribute passwd "*" # we do no need passwords - we use login_ldap for authentication
   attribute uid maps to "uidNumber"
   attribute gid maps to "gidNumber"
   attribute gecos maps to "cn"
   attribute home maps to "homeDirectory"
   fixed attribute shell "/bin/ksh"  # no bash in default install (check it)
   fixed attribute change "0" # we can have issues with time format (check it)
   fixed attribute expire "0" # we can have issues with time format (check it)
   fixed attribute class "ldap" # class of login.conf

   # group maps configuration
   group filter "(objectClass=posixGroup)"

   attribute groupname maps to "cn"
   fixed attribute grouppasswd "*"
   attribute groupgid maps to "gidNumber"
   list groupmembers maps to "memberUid"
}

test it with: # ypldap -dv

as ypldad currently doesn’t support ldap over ssl, you should configure your ldap server to listen over regular ldap.
I believe developer soon will create appropriate support for it.

3. ypbind – create and maintain a binding to a YP server

add your domainname to /etc/defaultdomain
# echo DOMAINNAME > /etc/defaultdomain

the standard way to enable YP passwd support in /etc/master.passwd is to add string: +:::::::::/bin/ksh
use vipw to edit master.passwd

see for details: man 5 passwd

same with groups:
# echo “+:::” >> /etc/group

see for details: man 5 group

4. automate execution

worst part is: we should modify: /etc/rc script

1
2
3
4
5
6
7
8
9
10
11
12
if [ X`domainname` != X ]; then
        if [ -d /var/yp/`domainname` ]; then
               # YP server capabilities needed...
               echo -n ' ypserv';              ypserv ${ypserv_flags}
               #echo -n ' ypxfrd';             ypxfrd
        fi

        #if [ -d /var/yp/binding ]; then
        #       # YP client capabilities needed...
        #       echo -n ' ypbind';              ypbind
        #fi
....

second entry will run ypbind before ypldap that we exec according to OpenBSD rules in rc.local

Then we should add something like this to: /etc/rc/local

1
2
3
4
5
6
7
if [ X"${ypldap_flags}" != X"NO" ]; then
        echo -n ' ypldap'; /usr/sbin/ypldap ${ypldap_flags} 1> /dev/null &
fi

if [ -d /var/yp/binding ]; then
        echo -n ' ypbind';              ypbind
fi

And to /etc/rc.conf.local:

1
2
portmap=YES
ypldap_flags=""

When I review text I see that it is quite easy and it is hard to believe someone can spend more then hour on this ..
Good luck, guys..

]]> http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html/feed 3