Hi Stuart, adding all of my users to /etc/master.passwd would be administrative burden, I would have to do that on every OpenBSD box and removing users would mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid that. Since shell is retrieved from LDAP and is used to log in to Linux boxes too I just set it as is set on Linux (installed bash on OpenBSD prior to setting LDAP authentication). Why is bash a bad idea on OpenBSD?
-----Original Message----- From: Stuart Henderson <stu.li...@spacehopper.org> To: misc@openbsd.org Subject: Re: Problems with LDAP authorization against OpenLDAP server Date: Fri, 14 Oct 2022 11:29:34 -0000 (UTC) On 2022-10-14, Željko Puškarić < zpuska...@hzhm.hr > wrote: > I am a seasoned Linux admin and my first forray into the world of > OpenBSD confronted me with a problem. > What I am trying to achieve is enabling authorization to OpenBSD > machine against existing OpenLDAP server (hosted on Linux). > I order to achieve that I followed these instructions: > https://blog.obtusenet.com/openbsd-and-ldap/ > I would start by adding as master.passwd entry for your user (you can just put * as the hashed password) and try to login while using login_ldap to handle the password. That way you can at least confirm that login_ldap is working while investigating ypldap. I can't help much with ypldap (I had it working once but decided to just build static master.passwd files based on the contents of ldap and push them out as it was much simpler and login_ldap did most of what I wanted), but a couple of quick comments, other than that /var/log/authlog might give some clues... > attribute passwd maps to "userPassword" > # fixed attribute passwd "*" > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp > Zr > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash Since you're using login_ldap you don't need the userPassword->passwd map, I think it's simpler to use "fixed attribute *" so it's clear that the password auth is not being done via yp. (login_ldap does a live check at login time, whereas if you were authing via the yp map then 1) you would need to avoid the {BCRYPT} prefix and 2) caching will get in the way of password changes etc). Probably /bin/bash is not what you want as a shell for OpenBSD boxes. > fixed attribute class "" I used a separate class for ldap users set ('fixed attribute class "ldap"'), and created that class in login.conf with "auth=ldap" (so that only the users I expected to come from ldap tried to use ldap for authentication).
