David Coppa <[email protected]> wrote:
> On Thu, Aug 28, 2014 at 2:19 PM, Predrag Punosevac
> <[email protected]> wrote:
> > I just set up another ssh gateway running OpenBSD amd64 snapshot of 8th
> > of August (should be epsilon close to 5.6 release). From installation to
> > full working gateway it took less than 30 minutes kudos to developers.
> > The only weird thing I noticed comparing to 5.5 release is that system
> > overrides default user shell defined in LDAP database. LDAP server is a
> > stock OpenBSD ldapd running of 5.5 amd64 release. I have installed bash,
> > zsh, tcsh from ports on the ldap client OpenBSD machine and soft link to
> > the place typical for Linux which is default path to those shells in
> > LDAP db.
> >
> > The configuration and looks identical to those on 5.5 release
> >
> > # ls -l /bin/tcsh
> > lrwxr-xr-x 1 root wheel 19 Aug 27 19:40 /bin/tcsh -> \
> > /usr/local/bin/tcsh
> > # ls -l /bin/bash
> > lrwxr-xr-x 1 root wheel 19 Aug 27 19:23 /bin/bash -> \
> > /usr/local/bin/bash
> > # ls -l /bin/zsh
> > lrwxr-xr-x 1 root wheel 18 Aug 27 19:36 /bin/zsh -> \
> > /usr/local/bin/zsh
> >
> >
> > # tail -n 1 /etc/master.passwd
> > +:::::::::/bin/ksh
>
> This is wrong.
Right no money! Actually relevant man pages are in man master.passwd
<quote>
information included via YP. On some systems, the passwd field may also
be overridden. It is recommended that the standard way to enable YP
passwd support in /etc/master.passwd is:
+:*::::::::
which after pwd_mkdb(8) will result in /etc/passwd containing:
+:*:0:0:::
</quote>
I remember fixing this on two other occasions but I forgot to fix my own
howtos
Cheers,
Predrag
> Because you have "attribute shell maps to "loginShell"", not "fixed
> attribute shell "/bin/ksh" in your ypldap.conf
>
> See passwd(5)
>
> Ciao,
> David
>
> > # tail -1 /etc/group
> > +:::
> >
> > # tail -n 6 /etc/login.conf
> > ldap:\
> > :auth=-ldap:\
> > :x-ldap-server=atlas.int.autonlab.org,,starttls:\
> > :x-ldap-basedn=dc=autonlab,dc=org:\
> > :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
> > :tc=default:
> >
> > # more /etc/defaultdomain
> > autonlab.org
> >
> > # more /etc/yp/ldap.autonlab.org
> > autonlab.org
> >
> > # view /etc/ypldap.conf
> > # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
> >
> > domain "autonlab.org"
> > interval 60
> > provide map "passwd.byname"
> > provide map "passwd.byuid"
> > provide map "group.byname"
> > provide map "group.bygid"
> > provide map "netid.byname"
> >
> > directory "atlas.int.autonlab.org" {
> > # directory options
> > binddn "cn=admin,dc=autonlab,dc=org"
> > # bindcred "secret"
> > basedn "dc=autonlab,dc=org"
> > # starting point for groups directory search, default to basedn
> > #groupdn "ou=Groups,dc=example,dc=com"
> >
> > # passwd maps configuration (RFC 2307 posixAccount object class)
> > passwd filter "(objectClass=posixAccount)"
> >
> > attribute name maps to "uid"
> > fixed attribute passwd "*"
> > attribute uid maps to "uidNumber"
> > attribute gid maps to "gidNumber"
> > attribute gecos maps to "cn"
> > attribute home maps to "homeDirectory"
> > attribute shell maps to "loginShell"
> > fixed attribute change "0"
> > fixed attribute expire "0"
> > fixed attribute class "ldap"
> >
> > # group maps configuration (RFC 2307 posixGroup object class)
> > group filter "(objectClass=posixGroup)"
> >
> > attribute groupname maps to "cn"
> > fixed attribute grouppasswd "*"
> > attribute groupgid maps to "gidNumber"
> > # memberUid returns multiple group members
> > list groupmembers maps to "memberUid"
> > }
> >
> >
> > # more /etc/rc.conf.local
> > ntpd_flags=
> > pkg_scripts="sshguard monit"
> > portmap_flags=""
> > ypldap_flags=""
> > ypbind_flags=""
> >
> >
> >
> > Of course I could ask all uses to adjust their profiles but maybe
> > somebody could point me to the fix which doesn't involve users.
> >
> >
> > Cheers,
> > Predrag
