Ok guys...
because I have beer yet I decided to write my experience down now:
1. Use -current. Grab the sources and go to /usr/src/usr.sbin/ypldap
and make a cvs update; make depend; make; make install
2. Install the port sysutils/login_ldap
3. Configure /etc/ypldap.conf:
EOF
domain $OPENBSD
interval 60
provide map passwd.byname
provide map passwd.byuid
provide map group.byname
provide map group.bygid
directory $USE_IP_HERE { # A
attribute name maps to "uid"
fixed attribute passwd "*" # B
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
fixed attribute class "ldap" # Login class!
fixed attribute expire "0" # USE_IP_HERE
attribute change maps to "shadowLastChange" # D
attribute gecos maps to "gecos"
attribute home maps to "homeDirectory"
fixed attribute shell "/bin/ksh" # E
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
attribute groupmembers maps to "memberUid"
binddn "cn=$ldapuser,dc=example,dc=com" # F
bindcred "YourSecret"
basedn "dc=example,dc=com"
group filter "(objectclass=posixGroup)"
passwd filter "(objectclass=posixAccount)"
}
EOF
A Name resolution not working yet - use IP instead
B Passwords in "NIS" not needed - we use login_ldap # XXX
C Problems with time format - "account e usfor Linux users - but there's no
bash ;-)
F Not needed if anonymous searches are allowed - not yet in man
XXX You could use other auth too - like krb5 against AD - should be tested!
4. Configure login_ldap: /etc/login.conf
ldap:\
:auth=-ldap:\
:x-ldap-server=$USE_IP_HERE:\
:shell=/bin/ksh:\ # not mandatory
:x-ldap-basedn=dc=example,dc=com:\
:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
:x-ldap-groupdn=cn=group_users_should_reside_to,dc=example,dc=com:\
:x-ldap-groupfilter=(&(objectClass=posixGroup)(memberUid=%u)):\
:tc=default:
5. Test ypldap
~ # ypldap -dv startup [debug mode]
configuration starting
applying configuration
connecting to directories
trying directory: $IP
starting directory update
starting directory update
updates are over, cleaning up trees now
flattening trees
pushing line: anonymous:*:4:3:ldap:0:/home/anonymous:/bin/ksh
pushing line: uwerler:*:1000:1000:ldap:12011:0:Uwe Werler:/home/uwerler:/bin/ksh
pushing line: user001:*:1001:1001:ldap:12011:0:Who' this?:/home/user001:/bin/ksh
pushing line: admins:*:1000:uwerler
pushing line: users01:*:1001:user001
That means You should see something like this ;-)
6. Start ypbind
ypbind
7. Test the user
~ # id uwerler
uid=1000(uwerler) gid=1000(admins) groups=1000(admins)*
* as I already wrote - only the first group from ldap is used now
OK, this is working so far. Now try to login.
The problem is if You want to auth with passwords You should type Your password
twice.
Why - I've to ask the list myself. I've seen such messages in my auhlog:
Oct 7 16:07:50 openbsd02 sshd[11261]: Failed password for uwerler from
10.0.0.127 port 36885 ssh2
Oct 7 16:07:52 openbsd02 sshd[11261]: Accepted password for uwerler from
10.0.0.127 port 36885 ssh2
!!! You've done !!!
Regards Uwe
################################
To make Your changes permanent:
1. Find the lines and comment out in /etc/rc to avoid ypserv's startup
snip
if [ X`domainname` != X ]; then
#if [ -d /var/yp/`domainname` ]; then
# # YP server capabilities needed...
# echo -n ' ypserv'; ypserv ${ypserv_flags}
# #echo -n ' ypxfrd'; ypxfrd
#fi
snip
2. Add a line to /etc/rc.conf
ypldap_flags=""
3. Add lines to /etc/rc.local:
if [ X"${ypldap_flags}" != X"NO" ]; then
echo -n ' ypldap'
/usr/sbin/ypldap ${ypldap_flags} 1> /dev/null &
fi
