On Thu, Aug 28, 2014 at 2:19 PM, Predrag Punosevac
<[email protected]> wrote:
> I just set up another ssh gateway running OpenBSD amd64 snapshot of 8th
> of August (should be epsilon close to 5.6 release). From installation to
> full working gateway it took less than 30 minutes kudos to developers.
> The only weird thing I noticed comparing to 5.5 release is that system
> overrides default user shell defined in LDAP database. LDAP server is a
> stock OpenBSD ldapd running of 5.5 amd64 release. I have installed bash,
> zsh, tcsh from ports on the ldap client OpenBSD machine and soft link to
> the place typical for Linux which is default path to those shells in
> LDAP db.
>
> The configuration and looks identical to those on 5.5 release
>
> # ls -l /bin/tcsh
> lrwxr-xr-x 1 root wheel 19 Aug 27 19:40 /bin/tcsh -> \
> /usr/local/bin/tcsh
> # ls -l /bin/bash
> lrwxr-xr-x 1 root wheel 19 Aug 27 19:23 /bin/bash -> \
> /usr/local/bin/bash
> # ls -l /bin/zsh
> lrwxr-xr-x 1 root wheel 18 Aug 27 19:36 /bin/zsh -> \
> /usr/local/bin/zsh
>
>
> # tail -n 1 /etc/master.passwd
> +:::::::::/bin/ksh
This is wrong.
Because you have "attribute shell maps to "loginShell"", not "fixed
attribute shell "/bin/ksh" in your ypldap.conf
See passwd(5)
Ciao,
David
> # tail -1 /etc/group
> +:::
>
> # tail -n 6 /etc/login.conf
> ldap:\
> :auth=-ldap:\
> :x-ldap-server=atlas.int.autonlab.org,,starttls:\
> :x-ldap-basedn=dc=autonlab,dc=org:\
> :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
> :tc=default:
>
> # more /etc/defaultdomain
> autonlab.org
>
> # more /etc/yp/ldap.autonlab.org
> autonlab.org
>
> # view /etc/ypldap.conf
> # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
>
> domain "autonlab.org"
> interval 60
> provide map "passwd.byname"
> provide map "passwd.byuid"
> provide map "group.byname"
> provide map "group.bygid"
> provide map "netid.byname"
>
> directory "atlas.int.autonlab.org" {
> # directory options
> binddn "cn=admin,dc=autonlab,dc=org"
> # bindcred "secret"
> basedn "dc=autonlab,dc=org"
> # starting point for groups directory search, default to basedn
> #groupdn "ou=Groups,dc=example,dc=com"
>
> # passwd maps configuration (RFC 2307 posixAccount object class)
> passwd filter "(objectClass=posixAccount)"
>
> attribute name maps to "uid"
> fixed attribute passwd "*"
> attribute uid maps to "uidNumber"
> attribute gid maps to "gidNumber"
> attribute gecos maps to "cn"
> attribute home maps to "homeDirectory"
> attribute shell maps to "loginShell"
> fixed attribute change "0"
> fixed attribute expire "0"
> fixed attribute class "ldap"
>
> # group maps configuration (RFC 2307 posixGroup object class)
> group filter "(objectClass=posixGroup)"
>
> attribute groupname maps to "cn"
> fixed attribute grouppasswd "*"
> attribute groupgid maps to "gidNumber"
> # memberUid returns multiple group members
> list groupmembers maps to "memberUid"
> }
>
>
> # more /etc/rc.conf.local
> ntpd_flags=
> pkg_scripts="sshguard monit"
> portmap_flags=""
> ypldap_flags=""
> ypbind_flags=""
>
>
>
> Of course I could ask all uses to adjust their profiles but maybe
> somebody could point me to the fix which doesn't involve users.
>
>
> Cheers,
> Predrag
