On 2022-10-14, Željko Puškarić <zpuska...@hzhm.hr> wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions:
> https://blog.obtusenet.com/openbsd-and-ldap/
I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.
That way you can at least confirm that login_ldap is working while
investigating ypldap.
I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...
> attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).
Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> fixed attribute class ""
I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).
--
Please keep replies on the mailing list.
