Re: sndio and bit perfect playback
On 10/14/22 05:21, Alexandre Ratchov wrote: On Thu, Oct 13, 2022 at 05:20:49PM -0400, Geoff Steckel wrote: If those don't work it's a (fixable) bug/not-yet-implemented. I've tried those settings with ambiguous results but not failure. My usb dacs don't have visible indicators & I don't have a USB protocol sniffer. Running audioctl during playback reveals the device sample rate. Running audioctl shows what the system thinks the device rate is. In my experience resampling quality in any particular implementation is not guaranteed and can introduce significant artifacts. Declaring a particular implementation "good enough" without knowing more seems premature. Here are the measures of the aliasing noise using sine sweeps. Check the figure for the 44.1kHz to 48kH conversion, the sndiod column: https://arverb.com/pub/src/ I did simple A/B tests with music from CDs and my ears couldn't hear the aliasing noise. Try it. Good a/b >x< tests for audio require extreme care to get accurate results. Simple sine sweeps don't show IM distortion well. In most cases numerically equal amounts of IM distortion are far more easily noticed than harmonic distortions or simple noise (white, pink, etc.) Sometimes you just don't want to think about it (ex., when you debug audio stuff), so resampling off-line (or switching the device rate) still makes sense in certain cases. This is the classic "why would you ever want to do that?" "Just as good" is an opinion. Other OSs can and do provide controls which allow setting the device sample rate to whatever the device can do. This user wants that to work. This means compiling a kernel with AUDIO_DEBUG Real Soon Now and inserting a few more DPRINTFs.
Re: sndio and bit perfect playback
> > In my experience resampling quality in any particular implementation > > is not guaranteed and can introduce significant artifacts. > > Declaring a particular implementation "good enough" without > > knowing more seems premature. > > Here are the measures of the aliasing noise using sine sweeps. Check > the figure for the 44.1kHz to 48kH conversion, the sndiod column: > > https://arverb.com/pub/src/ > > I did simple A/B tests with music from CDs and my ears couldn't hear > the aliasing noise. Try it. Does this bit of sndiod(8) still apply? BUGS Resampling is low quality; down-sampling especially should be avoided when recording. Jan
Does OpenBSD support Receive Side Scaling (also called: multi-queue receiving)
Dear All, I am a researcher and I would like to benchmark the stateful NAT64 performance of OpenBSD PF. I use a 32-core server as DUT (Device Under Test). When I use Linux for benchmarking other stateful NAT64 implementations, I use the "ethtool -N enp5s0f1 rx-flow-hash udp4 sdfn" command to include also the source and destination port numbers (not only the source and destination IP addresses) into the hash function to distribute the interrupts caused by packet arrivals evenly among all the CPU cores. I tried to find a similar solution under OpenBSD, but I could not. (I used search expressions like: OpenBSD RSS receive side scaling multi queue receiving) Perhaps it is called differently under OpenBSD, or maybe there is no such solution at all? Could you advise me please? Thank you very much for your help in advance! Best regards, Gabor Lencse
Re: Problems with LDAP authorization against OpenLDAP server
Hi everyone,
@Martijn
Thanks a lot, ypbind was not mentioned on the page I used, when I
enabled and started ypbind I was able to authenticate against LDAP.
# rcctl enable ypbind
# rcctl start ypbind
@Janne
I made symbolic link in /bin/bash that points to /usr/local/bin/bash so
user shell points to the right place.
-Original Message-
From: Martijn van Duren
To: Željko Puškarić , misc@openbsd.org
Subject: Re: Problems with LDAP authorization against OpenLDAP server
Date: Fri, 14 Oct 2022 14:36:18 +0200
On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote:
> Hi Stuart,
>
> adding all of my users to /etc/master.passwd would be administrative
> burden, I would have to do that on every OpenBSD box and removing
> users would mean I'll have to remove users from all OpenBSD boxes so
> I am trying to avoid that.
The suggestion was to test it out to see if the problem is just in
ypldap(8), or also in login_ldap.
One of the things I see is that you haven't set up ypbind(8), which
might be a big part why things fail for you.
> Since shell is retrieved from LDAP and is used to log in to Linux
> boxes
> too I just set it as is set on Linux (installed bash on OpenBSD prior
> to setting LDAP authentication).
> Why is bash a bad idea on OpenBSD?
>
>
> -Original Message-
> From: Stuart Henderson <
> stu.li...@spacehopper.org
> >
> To:
> misc@openbsd.org
>
> Subject: Re: Problems with LDAP authorization against OpenLDAP server
> Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
>
> On 2022-10-14, Željko Puškarić <
> zpuska...@hzhm.hr
>
> > wrote:
> > I am a seasoned Linux admin and my first forray into the world of
> > OpenBSD confronted me with a problem.
> > What I am trying to achieve is enabling authorization to OpenBSD
> > machine against existing OpenLDAP server (hosted on Linux).
> > I order to achieve that I followed these instructions:
> > https://blog.obtusenet.com/openbsd-and-ldap/
> >
> >
>
> I would start by adding as master.passwd entry for your user (you
> can just put * as the hashed password) and try to login while using
> login_ldap to handle the password.
>
> That way you can at least confirm that login_ldap is working while
> investigating ypldap.
>
> I can't help much with ypldap (I had it working once but decided to
> just build static master.passwd files based on the contents of ldap
> and
> push them out as it was much simpler and login_ldap did most of what
> I wanted), but a couple of quick comments, other than that
> /var/log/authlog might give some clues...
>
> > attribute passwd maps to "userPassword"
> > # fixed attribute passwd "*"
> > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DU
> > Bp
> > Zr
> > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
>
> Since you're using login_ldap you don't need the userPassword->passwd
> map, I think it's simpler to use "fixed attribute *" so it's clear
> that
> the password auth is not being done via yp. (login_ldap does a live
> check
> at login time, whereas if you were authing via the yp map then 1) you
> would need to avoid the {BCRYPT} prefix and 2) caching will get in
> the
> way of password changes etc).
>
> Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
>
> > fixed attribute class ""
>
> I used a separate class for ldap users set ('fixed attribute class
> "ldap"'), and created that class in login.conf with "auth=ldap" (so
> that only the users I expected to come from ldap tried to use ldap
> for
> authentication).
>
>
>
>
>
Re: Problems with LDAP authorization against OpenLDAP server
On Fri, Oct 14, 2022 at 12:48:05PM +0200, Željko Puškarić wrote:
> Hi everyone,
>
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions:
> https://blog.obtusenet.com/openbsd-and-ldap/
> According to the instructions I changed the line in /etc/login.conf to
> look like:
>
> auth-defaults:auth=ldap,passwd,skey:
>
> than created /etc/login_ldap.conf:
>
> host=ldap+tls://ldap.example.com
> cacert=/etc/ssl/example.com.crt
> scope=sub
> timeout=15
> basedn=ou=accounts,dc=example,dc=com
> binddn=cn=reader,dc=example,dc=com
> bindpw=secret
> filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
> gbasedn=ou=groups,dc=example,dc=com
> gfilter=(&(objectClass=posixGroup)(memberUid=%u))
>
> put example.com into /etc/defaultdomain
The domain name written to the file is only applied at boot time.
You can set it without rebooting by running 'domainname example.com'.
>
> enabled and started portmap service:
>
> # rcctl enable portmap
> # rcctl start portmap
>
> After that I configured /var/yp/example.com/ypservers.db file by
> executing.
>
> # ypinit -m
>
> defining servers as:
>
> localhost
>
> It all got done without any errors.
You don't need to run ypinit to use ypldap.
>
> After that created /etc/ypldap.conf:
>
> # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
>
> domain"example.com"
> interval 60
> provide map "passwd.byname"
> provide map "passwd.byuid"
> provide map "group.byname"
> provide map "group.bygid"
> provide map "netid.byname"
>
> directory "ldap.example.com" {
> # directory options
> binddn "cn=reader,dc=example,dc=com"
> bindcred "secret"
> basedn "ou=accounts,dc=example,dc=com"
> # starting point for groups directory search, default to basedn
> groupdn "ou=groups,dc=example,dc=com"
>
> # passwd maps configuration (RFC 2307 posixAccount object
> class)
> passwd filter
> "(&(objectClass=posixAccount)(description=active))"
>
> attribute name maps to "uid"
> attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> attribute uid maps to "uidNumber"
> attribute gid maps to "gidNumber"
> attribute gecos maps to "cn"
> attribute home maps to "homeDirectory"
> attribute shell maps to "loginShell"
> fixed attribute change "0"
> fixed attribute expire "0"
> fixed attribute class ""
>
> # group maps configuration (RFC 2307 posixGroup object class)
> group filter "(&(objectClass=posixGroup)(memberUid=%u))"
>
> attribute groupname maps to "cn"
> fixed attribute grouppasswd "*"
> attribute groupgid maps to "gidNumber"
> # memberUid returns multiple group members
> list groupmembers maps to "memberUid"
> }
>
> and enabled started ypldap service:
>
> # rcctl enable ypldap
> # rcctl start ypldap
>
> I also added "+:*" to /etc/master.passwd and updated database:
>
> # echo '+:*' >> /etc/master.passwd
> # pwd_mkdb -p /etc/master.passwd
>
> After that I checked if LDAP users would be visible by using:
>
> # getent passwd
>
> but LDAP users are not visible.
Is ypbind running?
>
> In order to check ypldap i stopped the service and run it as:
>
> # rcctl stop ypldap
> # ypldap -dv
>
> and got:
>
> startup [debug mode]
> configuration starting
> applying configuration
> connecting to directories
> starting directory update
> searching password entries
> searching group entries
> updates are over, cleaning up trees now
> flattening trees
>
> pushing line:
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> done pushing users
> done pushing groups
>
> so I deducted that connection to LDAP server is working but when I try
> to log as user ttestic it does not work
>
> Could the problem be that by default OpenBSD now uses 11 as default
> number of password hashing cost unlike in LDAP where cost is 8?
>
> If that is not the problem what could I do to troubleshoot my problem?
If the user shows up in the ypldap debug output, but isn't visible with
getent, libc isn't talking to ypldap. If the domain name isn't set or
ypbind isn't running, libc won't talk to ypldap.
Re: Problems with LDAP authorization against OpenLDAP server
On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote:
> Hi Stuart,
>
> adding all of my users to /etc/master.passwd would be administrative
> burden, I would have to do that on every OpenBSD box and removing users would
> mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid
> that.
The suggestion was to test it out to see if the problem is just in
ypldap(8), or also in login_ldap.
One of the things I see is that you haven't set up ypbind(8), which
might be a big part why things fail for you.
> Since shell is retrieved from LDAP and is used to log in to Linux boxes
> too I just set it as is set on Linux (installed bash on OpenBSD prior
> to setting LDAP authentication).
> Why is bash a bad idea on OpenBSD?
>
>
> -Original Message-
> From: Stuart Henderson
> To: misc@openbsd.org
> Subject: Re: Problems with LDAP authorization against OpenLDAP server
> Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
>
> On 2022-10-14, Željko Puškarić <
> zpuska...@hzhm.hr
> > wrote:
> > I am a seasoned Linux admin and my first forray into the world of
> > OpenBSD confronted me with a problem.
> > What I am trying to achieve is enabling authorization to OpenBSD
> > machine against existing OpenLDAP server (hosted on Linux).
> > I order to achieve that I followed these instructions:
> > https://blog.obtusenet.com/openbsd-and-ldap/
> >
>
> I would start by adding as master.passwd entry for your user (you
> can just put * as the hashed password) and try to login while using
> login_ldap to handle the password.
>
> That way you can at least confirm that login_ldap is working while
> investigating ypldap.
>
> I can't help much with ypldap (I had it working once but decided to
> just build static master.passwd files based on the contents of ldap and
> push them out as it was much simpler and login_ldap did most of what
> I wanted), but a couple of quick comments, other than that
> /var/log/authlog might give some clues...
>
> > attribute passwd maps to "userPassword"
> > # fixed attribute passwd "*"
> > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> > Zr
> > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
>
> Since you're using login_ldap you don't need the userPassword->passwd
> map, I think it's simpler to use "fixed attribute *" so it's clear that
> the password auth is not being done via yp. (login_ldap does a live
> check
> at login time, whereas if you were authing via the yp map then 1) you
> would need to avoid the {BCRYPT} prefix and 2) caching will get in the
> way of password changes etc).
>
> Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
>
> > fixed attribute class ""
>
> I used a separate class for ldap users set ('fixed attribute class
> "ldap"'), and created that class in login.conf with "auth=ldap" (so
> that only the users I expected to come from ldap tried to use ldap for
> authentication).
>
>
>
>
>
Re: Problems with LDAP authorization against OpenLDAP server
> Why is bash a bad idea on OpenBSD? Not bash in itself, but having it in /bin. If you installed it from packages/ports it would end up under /usr/local/bin instead, so the users shell would point to the wrong place. -- May the most significant bit of your life be positive.
Re: Problems with LDAP authorization against OpenLDAP server
Hi Stuart,
adding all of my users to /etc/master.passwd would be administrative
burden, I would have to do that on every OpenBSD box and removing users would
mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid
that.
Since shell is retrieved from LDAP and is used to log in to Linux boxes
too I just set it as is set on Linux (installed bash on OpenBSD prior
to setting LDAP authentication).
Why is bash a bad idea on OpenBSD?
-Original Message-
From: Stuart Henderson
To: misc@openbsd.org
Subject: Re: Problems with LDAP authorization against OpenLDAP server
Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
On 2022-10-14, Željko Puškarić <
zpuska...@hzhm.hr
> wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions:
> https://blog.obtusenet.com/openbsd-and-ldap/
>
I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.
That way you can at least confirm that login_ldap is working while
investigating ypldap.
I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...
> attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> Zr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live
check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).
Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> fixed attribute class ""
I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).
Re: Problems with LDAP authorization against OpenLDAP server
On 2022-10-14, Željko Puškarić wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions:
> https://blog.obtusenet.com/openbsd-and-ldap/
I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.
That way you can at least confirm that login_ldap is working while
investigating ypldap.
I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...
> attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).
Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> fixed attribute class ""
I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).
--
Please keep replies on the mailing list.
Problems with LDAP authorization against OpenLDAP server
Hi everyone,
I am a seasoned Linux admin and my first forray into the world of
OpenBSD confronted me with a problem.
What I am trying to achieve is enabling authorization to OpenBSD
machine against existing OpenLDAP server (hosted on Linux).
I order to achieve that I followed these instructions:
https://blog.obtusenet.com/openbsd-and-ldap/
According to the instructions I changed the line in /etc/login.conf to
look like:
auth-defaults:auth=ldap,passwd,skey:
than created /etc/login_ldap.conf:
host=ldap+tls://ldap.example.com
cacert=/etc/ssl/example.com.crt
scope=sub
timeout=15
basedn=ou=accounts,dc=example,dc=com
binddn=cn=reader,dc=example,dc=com
bindpw=secret
filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
gbasedn=ou=groups,dc=example,dc=com
gfilter=(&(objectClass=posixGroup)(memberUid=%u))
put example.com into /etc/defaultdomain
enabled and started portmap service:
# rcctl enable portmap
# rcctl start portmap
After that I configured /var/yp/example.com/ypservers.db file by
executing.
# ypinit -m
defining servers as:
localhost
It all got done without any errors.
After that created /etc/ypldap.conf:
# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
domain "example.com"
interval60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
provide map "netid.byname"
directory "ldap.example.com" {
# directory options
binddn "cn=reader,dc=example,dc=com"
bindcred "secret"
basedn "ou=accounts,dc=example,dc=com"
# starting point for groups directory search, default to basedn
groupdn "ou=groups,dc=example,dc=com"
# passwd maps configuration (RFC 2307 posixAccount object
class)
passwd filter
"(&(objectClass=posixAccount)(description=active))"
attribute name maps to "uid"
attribute passwd maps to "userPassword"
# fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class ""
# group maps configuration (RFC 2307 posixGroup object class)
group filter "(&(objectClass=posixGroup)(memberUid=%u))"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
# memberUid returns multiple group members
list groupmembers maps to "memberUid"
}
and enabled started ypldap service:
# rcctl enable ypldap
# rcctl start ypldap
I also added "+:*" to /etc/master.passwd and updated database:
# echo '+:*' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
After that I checked if LDAP users would be visible by using:
# getent passwd
but LDAP users are not visible.
In order to check ypldap i stopped the service and run it as:
# rcctl stop ypldap
# ypldap -dv
and got:
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees
pushing line:
ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
done pushing users
done pushing groups
so I deducted that connection to LDAP server is working but when I try
to log as user ttestic it does not work
Could the problem be that by default OpenBSD now uses 11 as default
number of password hashing cost unlike in LDAP where cost is 8?
If that is not the problem what could I do to troubleshoot my problem?
Re: sndio and bit perfect playback
On Thu, Oct 13, 2022 at 05:20:49PM -0400, Geoff Steckel wrote: > > If those don't work it's a (fixable) bug/not-yet-implemented. > I've tried those settings with ambiguous results but not failure. > My usb dacs don't have visible indicators & I don't have a > USB protocol sniffer. Running audioctl during playback reveals the device sample rate. > In my experience resampling quality in any particular implementation > is not guaranteed and can introduce significant artifacts. > Declaring a particular implementation "good enough" without > knowing more seems premature. Here are the measures of the aliasing noise using sine sweeps. Check the figure for the 44.1kHz to 48kH conversion, the sndiod column: https://arverb.com/pub/src/ I did simple A/B tests with music from CDs and my ears couldn't hear the aliasing noise. Try it. Sometimes you just don't want to think about it (ex., when you debug audio stuff), so resampling off-line (or switching the device rate) still makes sense in certain cases.
