Hi everyone, I am a seasoned Linux admin and my first forray into the world of OpenBSD confronted me with a problem. What I am trying to achieve is enabling authorization to OpenBSD machine against existing OpenLDAP server (hosted on Linux). I order to achieve that I followed these instructions: https://blog.obtusenet.com/openbsd-and-ldap/ According to the instructions I changed the line in /etc/login.conf to look like:
auth-defaults:auth=ldap,passwd,skey: than created /etc/login_ldap.conf: host=ldap+tls://ldap.example.com cacert=/etc/ssl/example.com.crt scope=sub timeout=15 basedn=ou=accounts,dc=example,dc=com binddn=cn=reader,dc=example,dc=com bindpw=secret filter=(&(objectClass=posixAccount)(description=active)(uid=%u)) gbasedn=ou=groups,dc=example,dc=com gfilter=(&(objectClass=posixGroup)(memberUid=%u)) put example.com into /etc/defaultdomain enabled and started portmap service: # rcctl enable portmap # rcctl start portmap After that I configured /var/yp/example.com/ypservers.db file by executing. # ypinit -m defining servers as: localhost It all got done without any errors. After that created /etc/ypldap.conf: # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $ domain "example.com" interval 60 provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" provide map "group.bygid" provide map "netid.byname" directory "ldap.example.com" { # directory options binddn "cn=reader,dc=example,dc=com" bindcred "secret" basedn "ou=accounts,dc=example,dc=com" # starting point for groups directory search, default to basedn groupdn "ou=groups,dc=example,dc=com" # passwd maps configuration (RFC 2307 posixAccount object class) passwd filter "(&(objectClass=posixAccount)(description=active))" attribute name maps to "uid" attribute passwd maps to "userPassword" # fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute gecos maps to "cn" attribute home maps to "homeDirectory" attribute shell maps to "loginShell" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "" # group maps configuration (RFC 2307 posixGroup object class) group filter "(&(objectClass=posixGroup)(memberUid=%u))" attribute groupname maps to "cn" fixed attribute grouppasswd "*" attribute groupgid maps to "gidNumber" # memberUid returns multiple group members list groupmembers maps to "memberUid" } and enabled started ypldap service: # rcctl enable ypldap # rcctl start ypldap I also added "+:*::::::::" to /etc/master.passwd and updated database: # echo '+:*::::::::' >> /etc/master.passwd # pwd_mkdb -p /etc/master.passwd After that I checked if LDAP users would be visible by using: # getent passwd but LDAP users are not visible. In order to check ypldap i stopped the service and run it as: # rcctl stop ypldap # ypldap -dv and got: startup [debug mode] configuration starting applying configuration connecting to directories starting directory update searching password entries searching group entries updates are over, cleaning up trees now flattening trees pushing line: ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash done pushing users done pushing groups so I deducted that connection to LDAP server is working but when I try to log as user ttestic it does not work Could the problem be that by default OpenBSD now uses 11 as default number of password hashing cost unlike in LDAP where cost is 8? If that is not the problem what could I do to troubleshoot my problem?