LDAP and default shell

Predrag Punosevac Thu, 28 Aug 2014 05:20:18 -0700

I just set up another ssh gateway running OpenBSD amd64 snapshot of 8th
of August (should be epsilon close to 5.6 release). From installation to
full working gateway it took less than 30 minutes kudos to developers.
The only weird thing I noticed comparing to 5.5 release is  that system
overrides default user shell defined in LDAP database. LDAP server is a
stock OpenBSD ldapd running of 5.5 amd64 release. I have installed bash,
zsh, tcsh from ports on the ldap client OpenBSD machine and soft link to
the place typical for Linux which is default path to those shells in
LDAP db.


The configuration and looks identical to those on 5.5 release

# ls -l /bin/tcsh
lrwxr-xr-x  1 root  wheel  19 Aug 27 19:40 /bin/tcsh -> \
/usr/local/bin/tcsh
# ls -l /bin/bash
lrwxr-xr-x  1 root  wheel  19 Aug 27 19:23 /bin/bash -> \
/usr/local/bin/bash
# ls -l /bin/zsh
lrwxr-xr-x  1 root  wheel  18 Aug 27 19:36 /bin/zsh -> \
/usr/local/bin/zsh


# tail -n 1 /etc/master.passwd
+:::::::::/bin/ksh
# tail -1 /etc/group
+:::

# tail -n 6 /etc/login.conf
ldap:\
        :auth=-ldap:\
        :x-ldap-server=atlas.int.autonlab.org,,starttls:\
        :x-ldap-basedn=dc=autonlab,dc=org:\
        :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
        :tc=default:

# more /etc/defaultdomain
autonlab.org

# more /etc/yp/ldap.autonlab.org
autonlab.org

# view /etc/ypldap.conf
# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $

domain          "autonlab.org"
interval        60
provide map     "passwd.byname"
provide map     "passwd.byuid"
provide map     "group.byname"
provide map     "group.bygid"
provide map     "netid.byname"

directory "atlas.int.autonlab.org" {
        # directory options
        binddn "cn=admin,dc=autonlab,dc=org"
        # bindcred "secret"
        basedn "dc=autonlab,dc=org"
        # starting point for groups directory search, default to basedn
        #groupdn "ou=Groups,dc=example,dc=com"

        # passwd maps configuration (RFC 2307 posixAccount object class)
        passwd filter "(objectClass=posixAccount)"

        attribute name maps to "uid"
        fixed attribute passwd "*"
        attribute uid maps to "uidNumber"
        attribute gid maps to "gidNumber"
        attribute gecos maps to "cn"
        attribute home maps to "homeDirectory"
        attribute shell maps to "loginShell"
        fixed attribute change "0"
        fixed attribute expire "0"
        fixed attribute class "ldap"

        # group maps configuration (RFC 2307 posixGroup object class)
        group filter "(objectClass=posixGroup)"

        attribute groupname maps to "cn"
        fixed attribute grouppasswd "*"
        attribute groupgid maps to "gidNumber"
        # memberUid returns multiple group members
        list groupmembers maps to "memberUid"
}


# more /etc/rc.conf.local
ntpd_flags=
pkg_scripts="sshguard   monit"
portmap_flags=""
ypldap_flags=""
ypbind_flags=""



Of course I could ask all uses to adjust their profiles but maybe
somebody could point me to the fix which doesn't involve users.


Cheers,
Predrag

LDAP and default shell

Reply via email to