On Fri, Oct 14, 2022 at 12:48:05PM +0200, Željko Puškarić wrote:
> Hi everyone,
>
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions:
> https://blog.obtusenet.com/openbsd-and-ldap/
> According to the instructions I changed the line in /etc/login.conf to
> look like:
>
> auth-defaults:auth=ldap,passwd,skey:
>
> than created /etc/login_ldap.conf:
>
> host=ldap+tls://ldap.example.com
> cacert=/etc/ssl/example.com.crt
> scope=sub
> timeout=15
> basedn=ou=accounts,dc=example,dc=com
> binddn=cn=reader,dc=example,dc=com
> bindpw=secret
> filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
> gbasedn=ou=groups,dc=example,dc=com
> gfilter=(&(objectClass=posixGroup)(memberUid=%u))
>
> put example.com into /etc/defaultdomain
The domain name written to the file is only applied at boot time.
You can set it without rebooting by running 'domainname example.com'.
>
> enabled and started portmap service:
>
> # rcctl enable portmap
> # rcctl start portmap
>
> After that I configured /var/yp/example.com/ypservers.db file by
> executing.
>
> # ypinit -m
>
> defining servers as:
>
> localhost
>
> It all got done without any errors.
You don't need to run ypinit to use ypldap.
>
> After that created /etc/ypldap.conf:
>
> # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
>
> domain "example.com"
> interval 60
> provide map "passwd.byname"
> provide map "passwd.byuid"
> provide map "group.byname"
> provide map "group.bygid"
> provide map "netid.byname"
>
> directory "ldap.example.com" {
> # directory options
> binddn "cn=reader,dc=example,dc=com"
> bindcred "secret"
> basedn "ou=accounts,dc=example,dc=com"
> # starting point for groups directory search, default to basedn
> groupdn "ou=groups,dc=example,dc=com"
>
> # passwd maps configuration (RFC 2307 posixAccount object
> class)
> passwd filter
> "(&(objectClass=posixAccount)(description=active))"
>
> attribute name maps to "uid"
> attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> attribute uid maps to "uidNumber"
> attribute gid maps to "gidNumber"
> attribute gecos maps to "cn"
> attribute home maps to "homeDirectory"
> attribute shell maps to "loginShell"
> fixed attribute change "0"
> fixed attribute expire "0"
> fixed attribute class ""
>
> # group maps configuration (RFC 2307 posixGroup object class)
> group filter "(&(objectClass=posixGroup)(memberUid=%u))"
>
> attribute groupname maps to "cn"
> fixed attribute grouppasswd "*"
> attribute groupgid maps to "gidNumber"
> # memberUid returns multiple group members
> list groupmembers maps to "memberUid"
> }
>
> and enabled started ypldap service:
>
> # rcctl enable ypldap
> # rcctl start ypldap
>
> I also added "+:*::::::::" to /etc/master.passwd and updated database:
>
> # echo '+:*::::::::' >> /etc/master.passwd
> # pwd_mkdb -p /etc/master.passwd
>
> After that I checked if LDAP users would be visible by using:
>
> # getent passwd
>
> but LDAP users are not visible.
Is ypbind running?
>
> In order to check ypldap i stopped the service and run it as:
>
> # rcctl stop ypldap
> # ypldap -dv
>
> and got:
>
> startup [debug mode]
> configuration starting
> applying configuration
> connecting to directories
> starting directory update
> searching password entries
> searching group entries
> updates are over, cleaning up trees now
> flattening trees
>
> pushing line:
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> done pushing users
> done pushing groups
>
> so I deducted that connection to LDAP server is working but when I try
> to log as user ttestic it does not work
>
> Could the problem be that by default OpenBSD now uses 11 as default
> number of password hashing cost unlike in LDAP where cost is 8?
>
> If that is not the problem what could I do to troubleshoot my problem?
If the user shows up in the ypldap debug output, but isn't visible with
getent, libc isn't talking to ypldap. If the domain name isn't set or
ypbind isn't running, libc won't talk to ypldap.
