Valid ypldap.conf for Active Directory
Does anyone have a working ypldap.conf that can work with AD?
Here4s mine:
# cat
/etc/ypldap.conf
interval 100
domain "osalva.net"
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
directory "ad.osalva.net" {
# directory options
binddn "uxs...@osalva.net"
bindcred "pass123"
basedn "ou=UNIX,dc=osalva,dc=net"
# passwd maps configuration
passwd filter "(&(objectClass=user))"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
fixed attribute shell "/bin/ksh"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "ldap"
# group maps configuration
group filter "(objectClass=group)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
list groupmembers maps to "memberUid"
}
ypldap -dv gets stuck at:
# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
updates are over, cleaning up trees now
flattening trees
Running ldapsearch returns the info I want, but there might be something
wrong with ypldap configuration.
Please let me know if you have any working setup.
Regards,
--
Eduardo Alvarenga
Re: Who runs OpenBSD with Adaptec ?
sabled > > pciide0 at pci0 dev 31 function 1 "Intel 82801HBM IDE" rev 0x02: DMA, > channel > 0 configured to compatibility, channel 1 configured to compatibility > > atapiscsi0 at pciide0 channel 0 drive 0 > > scsibus0 at atapiscsi0: 2 targets, initiator 7 > > cd0 at scsibus0 targ 0 lun 0: ATAPI > 5/cdrom > removable > > cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > > pciide0: channel 1 ignored (disabled) > > pciide1 at pci0 dev 31 function 2 "Intel 82801HBM SATA" rev 0x02: DMA, > channel > 0 configured to native-PCI, channel 1 configured to native-PCI > > pciide1: using irq 10 for native-PCI interrupt > > wd0 at pciide1 channel 0 drive 0: > > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 > > ichiic0 at pci0 dev 31 function 3 "Intel 82801H SMBus" rev 0x02: SMI > > iic0 at ichiic0 > > spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5 SO-DIMM > > spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-6400CL5 SO-DIMM > > usb2 at uhci0: USB revision 1.0 > > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > usb3 at uhci1: USB revision 1.0 > > uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > usb4 at uhci2: USB revision 1.0 > > uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > usb5 at uhci3: USB revision 1.0 > > uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > usb6 at uhci4: USB revision 1.0 > > uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > isa0 at ichpcib0 > > isadma0 at isa0 > > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > > pckbc0 at isa0 port 0x60/5 > > pckbd0 at pckbc0 (kbd slot) > > pckbc0: using irq 1 for kbd slot > > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > > pms0 at pckbc0 (aux slot) > > pckbc0: using irq 12 for aux slot > > wsmouse0 at pms0 mux 0 > > pcppi0 at isa0 port 0x61 > > midi0 at pcppi0: > > spkr0 at pcppi0 > > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 > > biomask efe5 netmask efed ttymask > > mtrr: Pentium Pro MTRR support > > umass0 at uhub1 port 1 configuration 1 interface 0 "Kingston > DataTraveler 2.0" > rev 2.00/2.00 addr 2 > > umass0: using SCSI over Bulk-Only > > scsibus1 at umass0: 2 targets, initiator 0 > > sd0 at scsibus1 targ 1 lun 0: SCSI2 > 0/direct removable > > sd0: 3858MB, 491 cyl, 255 head, 63 sec, 512 bytes/sec, 7902208 sec total > > softraid0 at root > > root on sd0a swap on sd0b dump on sd0b > > > > FreeBSD 7.14s dmesg: > > aac0: port 0x4000-0x40ff mem > 0xcce0-0xccff,0xcafe-0xcaff irq 17 at device 0.0 on pci2 > > aac0: Enable Raw I/O > > aac0: Enable 64-bit array > > aac0: New comm. interface enabled > > aac0: [ITHREAD] > > aac0: ServeRAID 8k-l , aac driver 2.0.0-1 > > > > > > ; > > -- Eduardo Alvarenga
Re: openssh and hideversion.patch
Security by obscurity is not the case in OpenBSD. IMHO. Regards, 2008/4/22 sricci <[EMAIL PROTECTED]>: > hi, > > what's your opinion about OpenSSH hideversion.patch ? (it is a > patch for hide the version of sshd service ) > > the current FAQ about this issue > http://www.openssh.org/faq.html#2.14 [1] which essentially says that > this is necessary for compatibility because the SSH protocol is not > finished. > > http://www.kramse.dk/files/patches/openssh/openssh-hideversion.patch > > > I tested and technicly my client can connect normally. This patch it > is reconize from OpenSSH core team ? > > what to think ? > > thanks, > > -sri- > > Links: > -- > [1] http://www.openssh.org/faq.html#2.14 > > -- Eduardo Alvarenga
Re: Authenticate squid in Active Directory
2008/2/8, Karl Karlsson <[EMAIL PROTECTED]>: > 2008/2/8, Eduardo Alvarenga <[EMAIL PROTECTED]>: > > > > A long time ago a asked the developers to implement nsswitch > > compatibility on OpenBSD, for sake of having user automatic > > syncronization on AD. The answer was not positive. > > > > There is also a patch that implements this hanging around. Got to ask > > Google :-) > > > > Maybe it's time for OpenBSD to become more competitive and introduce > > industry standards on its userland. > > > > > > Little OT but anyway, what do you exactly mean with "industry standards"? > As far as i can see PAM is making its way through on more and more different > UNIX systems. If PAM is "industry standard" one should stay as far away from > standards as possible. nsswitch - System Databases and Name Service Switch PAM - Pluggable Authentication Modules Forgive me if I misunderstood your reply, but PAM has NOTHING to do with nsswitch. When I say "industry standards" I mean the methods to obtain something and not a specific way to do it. OpenBSD products like SSH, NTPD, BGPD, OSPFD, etc follow industry standards. Maybe it's time to interconnect user databases with other systems, and one possible way is to implement nsswitch-like compatibility. -- Eduardo Alvarenga
Re: Authenticate squid in Active Directory
A long time ago a asked the developers to implement nsswitch compatibility on OpenBSD, for sake of having user automatic syncronization on AD. The answer was not positive. There is also a patch that implements this hanging around. Got to ask Google :-) Maybe it's time for OpenBSD to become more competitive and introduce industry standards on its userland. 2008/2/8, Leonardo Rodrigues <[EMAIL PROTECTED]>: > > I'm not sure I fully understand: > > I was under the impression that NT, up to NT 4, used the PDC/BDC > > model, and W2K and later used AD. While the kernel-panic tutorial does > > seem to address using OpenBSD to handle logins to NT4-compatible > > domains (including logins to such domains from W2K/WXP clients), it > > seems to me that it's not offering anything that's truly > > interchangeable with AD. Please correct me if I'm wrong. > > > > Thanks and regards, > > --ropers > > > > > > SAMBA version 3 does not offer a complete AD solution. That's promised > for SAMBA v4 though... > > The tutorial at kernel-panic is a good one, but I do not see the point > of using ldap, instead of the standard samba backend for example, > since user account database replication is not likely to work on SAMBA > + OpenBSD, unless one automates the process of creating local accounts > on each machine along with the ldap accounts. > > > -- > An OpenBSD user... and that's all you need to know =) > > Please, send private emails to [EMAIL PROTECTED] > > -- Eduardo Alvarenga
Re: Authenticate squid in Active Directory
I am the patch author. It's working since it's first implementation. Maybe it's time for the maintainers to consider committing it. 2008/2/4, David Gwynne <[EMAIL PROTECTED]>: > On 04/02/2008, at 8:13 PM, Lars Noodin wrote: > > > Luca Dell'Oca wrote: > >> I would like to authenticate user and password of users in an Active > >> Directory > > > > No. You wouldn't. > > pretty sure he would. it's useful. > > -- Eduardo Alvarenga
Re: Buy now & get ISO images to OpenBSD 5.0???
If you read here[1], you can notice that by paying $49, you can keep on downloading PFW updated iso images ** UNTIL ** OpenBSD 5.0. That's a lot of time IMHO :-) [1] http://www.allard.nu/pfw/iso (How much is it and what do I get?) Regards, 2008/1/7, johan beisser <[EMAIL PROTECTED]>: > On Jan 6, 2008, at 5:35 PM, Sevan / Venture37 wrote: > > > Alright Theo, where have you stashed the code?? > > http://www.allard.nu/pfw/pics/buynow.png > > > > http://www.allard.nu/pfw/ > > Hmm. PHP5 based interface with the PF ruleset? Only thing it's really > missing is some method to manage interfaces, dhcp, etc. > > And, BSD licensed. Nifty. > > -- Eduardo Alvarenga
OpenBSD on ia64
Any news regarding OpenBSD on Itanium processors? Regards, -- Eduardo Alvarenga
qmail is now on Public Domain
Qmail is now public domain: http://cr.yp.to/qmail/dist.html " I hereby place the qmail package (in particular, qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c) into the public domain. You are free to modify the package, distribute modified versions, etc." Does anyone know anything about djbdns, daemontools, ucspi-tcp et all ? I think they are already public domain. Maybe a port is now welcome. Marc ? Regards, -- Eduardo Alvarenga
Re: scp doesn´t recognizes 127.0.0.1* as filename
It doesn4t work either. [EMAIL PROTECTED] crash]# scp 127.0.0.1-2007-11-26-18\:31/ [EMAIL PROTECTED]:/u02/snap ssh: 127.0.0.1-2007-11-26-18: Name or service not known [EMAIL PROTECTED] crash]# scp "127.0.0.1-2007-11-26-18:31" [EMAIL PROTECTED]:/u02/snap ssh: 127.0.0.1-2007-11-26-18: Name or service not known Maybe a bug? 2007/11/26, Daniel Horecki <[EMAIL PROTECTED]>: > > On Nov 26, 2007 10:24 PM, Eduardo Alvarenga <[EMAIL PROTECTED]> > wrote: > > Hi there, > > > > [EMAIL PROTECTED] crash]# scp -r 127.0.0.1-2007-11-26-18:31 [EMAIL > > PROTECTED] > :/u02/snap > > ssh: 127.0.0.1-2007-11-26-18: Name or service not known > > > > 127.0.0.1-2007-11-26-18:31 is a directory > > > > It seems that scp is not understanding that 127.0.0.1-2007-11-26-18:31 > is a > > directory. > > Can anyone help? > > > > Add \ before ":" char: > > scp -r 127.0.0.1-2007-11-26-18\:31 [EMAIL PROTECTED]:/u02/snap > > Or you can add " " around name of directory. Should work. scp uses : > to split between host and file to copy. > > morr > > -- > Daniel Horecki > http://morr.pl > -- Eduardo Alvarenga
Re: scp doesn?t recognizes 127.0.0.1* as filename
By using ./ before the directory/filename it worked. Is it expected? Regards, 2007/11/26, Gilles Chehade <[EMAIL PROTECTED]>: > > On Mon, Nov 26, 2007 at 07:24:09PM -0200, Eduardo Alvarenga wrote: > > Hi there, > > > > [EMAIL PROTECTED] crash]# scp -r 127.0.0.1-2007-11-26-18:31 [EMAIL > > PROTECTED] > :/u02/snap > > ssh: 127.0.0.1-2007-11-26-18: Name or service not known > > > > 127.0.0.1-2007-11-26-18:31 is a directory > > > > It seems that scp is not understanding that 127.0.0.1-2007-11-26-18:31 > is a > > directory. > > Can anyone help? > > > > This is an OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 running on RHEL 4.4 > > > > > > Regards, > > > > It is not the 127.0.0.1 part that is not recognized, it is the fact that > parameters which contain ':' are assumed to be of the form 'host:file'. > In this case, it is trying to scp the file '31' from host > 127.0.0.1-2007-11-26-18 > -- Eduardo Alvarenga
scp doesn´t recognizes 127.0.0.1* as filename
Hi there, [EMAIL PROTECTED] crash]# scp -r 127.0.0.1-2007-11-26-18:31 [EMAIL PROTECTED]:/u02/snap ssh: 127.0.0.1-2007-11-26-18: Name or service not known 127.0.0.1-2007-11-26-18:31 is a directory It seems that scp is not understanding that 127.0.0.1-2007-11-26-18:31 is a directory. Can anyone help? This is an OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 running on RHEL 4.4 Regards, -- Eduardo Alvarenga
Re: OpenBSD dedicated hosting
2006/9/18, Jared Solomon <[EMAIL PROTECTED]>: On 9/16/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote: > Gilles Chehade wrote: > > Hi misc@, > > > > I am looking for companies that provide OpenBSD-powered dedicated hosting. > > Currently, I am being hosted by a french company which turned out to be as > > incompetent as can be, and I am willing to switch as soon as possible > > (preferably before the 25th of September). Currently I use http://www.geekisp.com They use OpenBSD, and I have had zero complaints with their service. I recommend New York Internet. http://www.nyi.net Regards, -- Eduardo Alvarenga
Re: Active Directory authentication
2006/8/15, Steve Shockley <[EMAIL PROTECTED]>: I'm researching setting up a wireless gateway using OpenBSD and authpf. We've got an existing Active Directory (2003) domain with about 5000 user accounts that I'd like to authenticate against. LDAP seemed like the obvious choice, but it appears I need to create local accounts to use login_ldap, and it'd be unwieldy to sync 5000 users. There's also a patch for nsswitch, but I'd rather not use a custom build if I don't have to. Kerberos also sounded like a good idea, but if I understand correctly, the clients would need a Kerberized ssh client, and they'd have to be able to access the KDC before logging in to the gateway. LDAP integration seems to be one of the next goals of OpenBSD. What you can do now is to deploy Services for UNIX (SFU) on your Windows Server system and activate client NIS compatibilility and then setup your OpenBSD server for NIS. Windows Server R2 already has SFU built in. Not sure about the NIS service. Regards, -- Eduardo Alvarenga
Re: Xen domU for OpenBSD/amd64 demo
you can now download a beta version of the OpenBSD/amd64 port for Xen at http://cancel.adviseo.net/Open-BSD Is this effort unique for amd64? Will i386 be supported too? Congratulations for the great job! Best Regards, -- Eduardo Alvarenga
Re: rc.conf.local update_motd=NO
> > The patch prevents rc from adding these two lines into the motd file. > > What I want is to not show information about the system and *JUST* my > > personal motd, for security purposes and to follow the company's > > policy. > > What security purposes? You have local users who you dont trust to know the > operating system? Users who cant run "uname"? Yes I have. And the main reason is the company's policy. Every SunOS, AIX, HP-UX, Linux, FreeBSD (that already has update_motd build in) server in the company have a specific banner for many purposes, not even security, but for information, and sometimes obscurity. What I really want is not to answer questions like: (from the innocent ones) - Hum, the last time I logged on it was another *nix ? Why OpenBSD now? Is Sun going to sue me? (from the stupid-managers) - I've heard OpenBSD is in financial troubles right now, please take this server down and migrate it to any-supported-and-paid-UNIX-system, I don't want to donate! (from the funny ones) - I don't like sushi, I prefer aquatic-bird flesh! A FAQ article could do the trick. But a patch is better. Regards, -- Eduardo Alvarenga
Re: rc.conf.local update_motd=NO
> Just leave the first two lines of motd intact, add you local motd after > the two first lines, and your message will not be touched. The patch prevents rc from adding these two lines into the motd file. What I want is to not show information about the system and *JUST* my personal motd, for security purposes and to follow the company's policy. All I am asking is that if it is possible to commit upstream, It might become very handy and IMHO has minimal impact -- and of course should be disabled or even hidden from users by default. And yes, I have read motd(5). Regards, -- Eduardo Alvarenga
rc.conf.local update_motd=NO
Hi there,
--
--- rc.orig 2006-04-19 15:43:13.869242320 -0300
+++ rc 2006-04-19 15:45:43.632474848 -0300
@@ -491,6 +491,7 @@
if [ ! -f /etc/motd ]; then
install -c -o root -g wheel -m 664 /dev/null /etc/motd
fi
+if [ X"${update_motd}" != X"NO" ]; then
T=`mktemp /tmp/_motd.XX`
if [ $? -eq 0 ]; then
sysctl -n kern.version | sed 1q > $T
@@ -499,6 +500,7 @@
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T
fi
+fi
if [ -f /var/account/acct ]; then
echo 'turning on accounting'; accton /var/account/acct
--
Some companies ask sysadmins to put a specific message of the day for
many purposes, this patch might become handy in such situations.
It is useful, at least for me.
Regards,
--
Eduardo Alvarenga
PF and Content Vectoring Protocol
Hi, Is there any project, idea, document, etc about a project to add CVP (Content Vectoring Protocol) into pf? I'm asking this because I work on an anti-virus company that develops solutions based on CVP -- now supporting Checkpoint and Cyberguard -- and we will be very pleased to recommend OpenBSD's PF for use with our products. For technical off-topic discutions, please contact me directly. Regards, -- Eduardo Alvarenga
Re: Off Topic! Re: OpenBSD Cap
> Make one. > I once made a temporary openbsd tattoo on my forearm using a sharpie > marker. Being surrounded by penguin lovers I have to fight back. I have a real one, check this out: http://www.orkut.com/Album.aspx?xid=14361074768919339780 Now it is complete, I'll post an updated picture as requested. Regards, -- Eduardo Alvarenga
Re: Apache 2 License
> On 12/3/05, Marco Peereboom <[EMAIL PROTECTED]> wrote: (...) > > In case you didn't know gpl 2 sucks shit and so does apache 2. > > OpenBSD's version of apache is quite different than what they used to > > ship since we forked it. Apache 2 is in ports. Where? As I can see, It was 6 years ago under www/apache... not now. Regards, -- Eduardo Alvarenga
Re: Help with OpenBSD ADSL Driver needed
> I asked Guy Ellis, if Traverse would consider donating some ADSL cards > to OpenBSD developers in exchange for them helping to develop a decent > OpenBSD driver from the beta one. His response is below - > > >> In principle I am happy to run with this. However the main problem > is that the purists will not accept a driver that isn't 100% Open > Source. Since the firmware and Globespan proprietary routines are in a > library they will probably tell you to go away. If not let me know. > > > Is it truly the case that you will tell them to go away? and if so do IMHO only if they do like Intel did. You can take a look at /etc/firmware and check that those are binary-only firmwares, but have free distribution rights granted to OpenBSD and others. If a firmware is mandatory, one can have a free-well-written driver and plug in on it a bad licensed firmware, but that will not make anything better, think again about what Intel did and tell this story to the Traverse guys. -- Eduardo Alvarenga
Re: OpenBSD's 10th birthday
> > Now it is really OpenBSD's 10th birthday ;) Congrats from Angola and all southern Africa!! Regards, -- Eduardo Alvarenga
DHCP redudancy? dhsyncd
Hi there, I have a suggestion. How about a dhsyncd protocol/daemon? I mean something like sasync/pfsync that implements dhcp balance, takeover and lease distribution based on the geo location? So with this, one can build a fully redundant dhcp server on different sites connected by a bridge. On a loaded dhcp server, sometimes rsync/scp/ftp/etc tools can't handle the job about time, so a "dhcp statefull protocol" is the idea. Just a suggestion.
