On 2022-06-09, David Diggles <da...@elven.com.au> wrote: > I've just got ldap login working on OpenBSD/7.1 with accounts stored > locally in ldapd and using ypldap. > > I just thought I'd share something so anyone reading this may save > wasting the time that I wasted :-) > > Your LDIF entry that you read into ldap must be as follows for > userPassword > > userPassword: {CRYPT}${ENCRYPTED_PASSWD} > > ie uppercase CRYPT - I was stuffing around for ages with trying to > understand why login_ldap was failing to bind because I had {crypt} in > lowercase.
Perhaps it would make sense for ldapd to support {crypt} as well.. > If you search the interwebs you'll find many complicated examples for > the ldap class in login.conf but the following worked fine for this > local setup: > > # /etc/login.conf.d/ldap > > ldap:\ > :auth=ldap:\ > :x-ldap-uscope=subtree:\ > :tc=default: "auth=ldap" (rather than "auth=-ldap") suggests you're using login_ldap from the base OS, but that uses /etc/login_ldap.conf for settings so presence of x-ldap-uscope suggests you're using login_ldap from ports. The ports version has been left around partly because configuration is different and it would suck if you can't login to fix it, and partly in case anyone was actually needing the features that were dropped when it was rewritten for the base OS. It would be a good idea to use the base OS version as there's less risk of it getting out of sync following uodates. And if you used the ports one and *copied* it over /usr/libexec/auth/login_ldap you definitely want to fix that.