Hi everyone, @Martijn Thanks a lot, ypbind was not mentioned on the page I used, when I enabled and started ypbind I was able to authenticate against LDAP.
# rcctl enable ypbind # rcctl start ypbind @Janne I made symbolic link in /bin/bash that points to /usr/local/bin/bash so user shell points to the right place. -----Original Message----- From: Martijn van Duren <openbsd+m...@list.imperialat.at> To: Željko Puškarić <zpuska...@hzhm.hr>, misc@openbsd.org Subject: Re: Problems with LDAP authorization against OpenLDAP server Date: Fri, 14 Oct 2022 14:36:18 +0200 On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote: > Hi Stuart, > > adding all of my users to /etc/master.passwd would be administrative > burden, I would have to do that on every OpenBSD box and removing > users would mean I'll have to remove users from all OpenBSD boxes so > I am trying to avoid that. The suggestion was to test it out to see if the problem is just in ypldap(8), or also in login_ldap. One of the things I see is that you haven't set up ypbind(8), which might be a big part why things fail for you. > Since shell is retrieved from LDAP and is used to log in to Linux > boxes > too I just set it as is set on Linux (installed bash on OpenBSD prior > to setting LDAP authentication). > Why is bash a bad idea on OpenBSD? > > > -----Original Message----- > From: Stuart Henderson < > stu.li...@spacehopper.org > > > To: > misc@openbsd.org > > Subject: Re: Problems with LDAP authorization against OpenLDAP server > Date: Fri, 14 Oct 2022 11:29:34 -0000 (UTC) > > On 2022-10-14, Željko Puškarić < > zpuska...@hzhm.hr > > > wrote: > > I am a seasoned Linux admin and my first forray into the world of > > OpenBSD confronted me with a problem. > > What I am trying to achieve is enabling authorization to OpenBSD > > machine against existing OpenLDAP server (hosted on Linux). > > I order to achieve that I followed these instructions: > > https://blog.obtusenet.com/openbsd-and-ldap/ > > > > > > I would start by adding as master.passwd entry for your user (you > can just put * as the hashed password) and try to login while using > login_ldap to handle the password. > > That way you can at least confirm that login_ldap is working while > investigating ypldap. > > I can't help much with ypldap (I had it working once but decided to > just build static master.passwd files based on the contents of ldap > and > push them out as it was much simpler and login_ldap did most of what > I wanted), but a couple of quick comments, other than that > /var/log/authlog might give some clues... > > > attribute passwd maps to "userPassword" > > # fixed attribute passwd "*" > > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DU > > Bp > > Zr > > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash > > Since you're using login_ldap you don't need the userPassword->passwd > map, I think it's simpler to use "fixed attribute *" so it's clear > that > the password auth is not being done via yp. (login_ldap does a live > check > at login time, whereas if you were authing via the yp map then 1) you > would need to avoid the {BCRYPT} prefix and 2) caching will get in > the > way of password changes etc). > > Probably /bin/bash is not what you want as a shell for OpenBSD boxes. > > > fixed attribute class "" > > I used a separate class for ldap users set ('fixed attribute class > "ldap"'), and created that class in login.conf with "auth=ldap" (so > that only the users I expected to come from ldap tried to use ldap > for > authentication). > > > > >
