Hi Stuart,

adding all of my users to /etc/master.passwd would be administrative
burden, I would have to do that on every OpenBSD box and removing users would 
mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid 
that.
Since shell is retrieved from LDAP and is used to log in to Linux boxes
too I just set it as is set on Linux (installed bash on OpenBSD prior
to setting LDAP authentication).
Why is bash a bad idea on OpenBSD?


-----Original Message-----
From: Stuart Henderson <stu.li...@spacehopper.org>
To: misc@openbsd.org
Subject: Re: Problems with LDAP authorization against OpenLDAP server
Date: Fri, 14 Oct 2022 11:29:34 -0000 (UTC)

On 2022-10-14, Željko Puškarić <
zpuska...@hzhm.hr
> wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions: 
> https://blog.obtusenet.com/openbsd-and-ldap/
> 

I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.

That way you can at least confirm that login_ldap is working while
investigating ypldap.

I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...

>       attribute passwd maps to "userPassword"
> #     fixed attribute passwd "*"
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> Zr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash

Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live
check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).

Probably /bin/bash is not what you want as a shell for OpenBSD boxes.

>       fixed attribute class ""

I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).





Reply via email to