About Archive Tags RSS Feed

 

OepnBSD rocks. Until it doesn't.

9 August 2010 21:50

Recently I've been jumping upon the LDAP bandwagon, with one of my aims to consolidate a lot of different login systems.

Configuring Linux, Apache, OpenVPN and similar things to authenticate against an LDAP server was almost painless.

Unfortunately OpenBSD is being a bit more painful, primarily because it doesn't use PAM. Instead you have two choices:

  • Configure login to authenticate against a RADIUS server, telling that server to authenticate against a (remote) LDAP server.
  • Use login_ldap to do authentication, but fetch all things via YP.

Neither solution is particularly pleasant, but the former is marginally less effort. The downside? I still have to run "adduser" to add the user to the system - which makes me think "why did I bother in the first place?"

Otherwise I spent the tail end of last week in York, taking pictures of ducks, geese, the city walls and similar things of fun.

ObQuote: "Well, well I see we have visitors... " - Hot Fuzz

Tags: ldap, openbsd, openldap, radius | 5 comments

 

Comments on this entry

icon pyr at 21:58 on 9 August 2010

There are a couple wrong statements in your post:
* The problem with OpenBSD isn't the lack of pam, since there is bsd_auth which is equivalent. The problem is the lack of a nsswitch like feature.
* You are missing an alternative: ypldap which provides an alternative ypserv serving yp maps from ldap, ypldap is recent but solves your current issue, you should give it a try.

icon Vincent Bernat at 22:03 on 9 August 2010

Take a look at ypldap. I suppose this is in the base system now.

icon Steve Kemp at 22:05 on 9 August 2010

You both mention the use of yp_ldap, which is what I meant by "via YP".

Pyr: I guess you're right that I meant the nsswitch like feature - which means you have to use yp to lookup UID/GID/etc.

For the moment I'm going to stick to radiusd to see how that works out. It's a simpler configuration, a slightly more trusted deamon, and something I've used elsewhere.

icon James at 06:59 on 10 August 2010

What doco/guides did you use to migrate to OpenLDAP? I've found most of them to be pretty dire, either cargo-cult configuration that doesn't explain anything, or references that assume you already understand how LDAP works.

icon Steve Kemp at 07:29 on 10 August 2010

I've read a couple of LDAP books, and they got me most of the understanding I needed to make the migration work.

I have to say that there were a few good guides out there - even on my site ;)

 

Created by ephemeris.

© Steve Kemp