OpenBSD as an LDAP Client

2009-08-27 22:33:50 by jdixon

OpenBSD's ypldap daemon provides YP maps using an LDAP backend. It was introduced with OpenBSD 4.4 but doesn't seem to have received much exposure within the community. I've been meaning to convert one of our bastion systems from using local accounts to LDAP, mainly for convenience.

The migration went smoothly except for the lack of a netid.byname mapping. Pierre-Yves Ritschard (pyr@) told me this is high on his to-do list. Without this mapping, sudo is unable to getpwuid(). Therefore, any accounts requiring sudo rights (read: administrators) will need to remain as local accounts until this is resolved.

The vast majority of this write-up was taken almost verbatim from a similar posting at the Helion-Prime Solutions blog. I've filled in some missing bits with regards to the sudo issue as well as ypbind issues over non-broadcast segments.

Install the login_ldap package.

$ sudo pkg_add -i login_ldap
openldap-client-2.3.43: complete                                                                 
login_ldap-3.51: complete                                                                        
--- login_ldap-3.51 -------------------
Note: Some configuration options for login_ldap in login.conf have changed.
If you're upgrading from previous versions, make sure to consult the
man page, login_ldap(8), and look at the examples in
/usr/local/share/examples/login_ldap/.

Add a new authentication class to /etc/login.conf.

+ldap:\
+        :auth=-ldap:\
+        :x-ldap-server=ldap.obfuscurity.com,,:\
+        :x-ldap-basedn=dc=obfuscurity,dc=com:\
+        :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
+        :tc=default:

Create a new /etc/ypldap.conf.

interval 100
domain "obfuscurity.com"

provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"

directory "ldap.obfuscurity.com" {
   binddn "cn=Manager,dc=obfuscurity,dc=com"
   basedn "ou=employee,dc=obfuscurity,dc=com"

   passwd filter "(objectClass=posixAccount)"

   attribute name maps to "uid"
   fixed attribute passwd "*"
   attribute uid maps to "uidNumber"
   attribute gid maps to "gidNumber"
   attribute gecos maps to "cn"
   attribute home maps to "homeDirectory"
   fixed attribute shell "/bin/ksh"
   fixed attribute change "0" 
   fixed attribute expire "0"
   fixed attribute class "ldap"

   group filter "(objectClass=posixGroup)"

   attribute groupname maps to "cn"
   fixed attribute grouppasswd "*"
   attribute groupgid maps to "gidNumber"
   list groupmembers maps to "memberUid"
}

Set our domain for ypbind.

# echo 'obfuscurity.com' > /etc/defaultdomain
# echo 'obfuscurity.com' > /etc/yp/ldap.obfuscurity.com

Add the necessary entries in /etc/master.passwd and /etc/group.

$ sudo vipw
$ sudo tail -1 /etc/master.passwd
+:::::::::/bin/ksh

$ sudo vi /etc/group
$ tail -1 /etc/group
+:::

Modify /etc/rc to disable ypbind at boot.

-       if [ -d /var/yp/binding ]; then
-               # YP client capabilities needed...
-               echo -n ' ypbind';              ypbind
-       fi
+       #if [ -d /var/yp/binding ]; then
+       #       # YP client capabilities needed...
+       #       echo -n ' ypbind';              ypbind
+       #fi

Modify /etc/rc.local to start ypbind explicitly after ypldap.

+if [ X"${ypldap_flags}" != X"NO" ]; then
+       echo -n ' ypldap'; /usr/sbin/ypldap ${ypldap_flags} 1> /dev/null
+       echo -n ' ypbind'; ypbind
+fi

Enable portmap and ypldap in /ec/rc.conf.local.

$ tail -2 /etc/rc.conf.local 
portmap=YES
ypldap_flags=""

Reboot.

Backup your /etc/master.passwd file.

$ sudo cp /etc/master.passwd /etc/master.passwd.bak

Delete a single user (non-administrator) entry (using vipw). Test the user login to make sure it works. If successful, remove the remaining user accounts from the password file.

Voila!

Comments

at 2009-10-07 15:52:09, anonymous wrote in to say...

why did you have to modify rc to start ypbind after ypldap?

at 2009-10-07 16:07:48, Jason Dixon wrote in to say...

My understanding, take with a big grain of salt...

Because ypbind is binding to a YP service. In this case, ypldap is providing the mapping functionality, so we need to have it running before we try to bind.

at 2011-01-12 09:06:33, Stephan wrote in to say...

In case you get a "fatal: getpwnam: Bad file descriptor" upon start of 'ypldap -dv' you might turn out as stupid as me and not have a _ypldap user in your master.passwd - due to sloppy OS upgrading ;)

at 2012-08-14 09:29:17, anonymous wrote in to say...

how to do this with FreeBSD? Why is there no BSD licensed NSS module for hosts to access LDAP servers for AAA and name services? nss_ldap and friends are all GPL and thus not in the base system.

Moving forward we won't likely need support in BASE for client libraries for hesiod (?) and yp but LDAP is essential. There's *alot* of machines running Active Directory and networks that require AD to be used for all user management.

at 2014-02-28 17:35:59, Israel Brewster wrote in to say...

I am trying to get this working, but there seems to be a disconnect somewhere between the login.conf and the yp stuff. When I run ypldap -dv it spits out a bunch of enteries like "pushing line:" followed by what looks like a passwd file entry for all the users and groups in my ldap database, so I guess that much is working (at least it can see all the entries). Also if I run /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap for a LDAP user, it says authorized. However, getent passwd only shows local users, and I can't login as any LDAP user. When I try, the zuthlog shows "invalid user". What can I be missing?

Add a comment:

  name

  email

  url

max length 4000 chars