Hi everyone,
I am a seasoned Linux admin and my first forray into the world of
OpenBSD confronted me with a problem.
What I am trying to achieve is enabling authorization to OpenBSD
machine against existing OpenLDAP server (hosted on Linux).
I order to achieve that I followed these instructions:
https://blog.obtusenet.com/openbsd-and-ldap/
According to the instructions I changed the line in /etc/login.conf to
look like:
auth-defaults:auth=ldap,passwd,skey:
than created /etc/login_ldap.conf:
host=ldap+tls://ldap.example.com
cacert=/etc/ssl/example.com.crt
scope=sub
timeout=15
basedn=ou=accounts,dc=example,dc=com
binddn=cn=reader,dc=example,dc=com
bindpw=secret
filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
gbasedn=ou=groups,dc=example,dc=com
gfilter=(&(objectClass=posixGroup)(memberUid=%u))
put example.com into /etc/defaultdomain
enabled and started portmap service:
# rcctl enable portmap
# rcctl start portmap
After that I configured /var/yp/example.com/ypservers.db file by
executing.
# ypinit -m
defining servers as:
localhost
It all got done without any errors.
After that created /etc/ypldap.conf:
# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
domain "example.com"
interval 60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
provide map "netid.byname"
directory "ldap.example.com" {
# directory options
binddn "cn=reader,dc=example,dc=com"
bindcred "secret"
basedn "ou=accounts,dc=example,dc=com"
# starting point for groups directory search, default to basedn
groupdn "ou=groups,dc=example,dc=com"
# passwd maps configuration (RFC 2307 posixAccount object
class)
passwd filter
"(&(objectClass=posixAccount)(description=active))"
attribute name maps to "uid"
attribute passwd maps to "userPassword"
# fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class ""
# group maps configuration (RFC 2307 posixGroup object class)
group filter "(&(objectClass=posixGroup)(memberUid=%u))"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
# memberUid returns multiple group members
list groupmembers maps to "memberUid"
}
and enabled started ypldap service:
# rcctl enable ypldap
# rcctl start ypldap
I also added "+:*::::::::" to /etc/master.passwd and updated database:
# echo '+:*::::::::' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
After that I checked if LDAP users would be visible by using:
# getent passwd
but LDAP users are not visible.
In order to check ypldap i stopped the service and run it as:
# rcctl stop ypldap
# ypldap -dv
and got:
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees
pushing line:
ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
done pushing users
done pushing groups
so I deducted that connection to LDAP server is working but when I try
to log as user ttestic it does not work
Could the problem be that by default OpenBSD now uses 11 as default
number of password hashing cost unlike in LDAP where cost is 8?
If that is not the problem what could I do to troubleshoot my problem?
