OepnBSD rocks. Until it doesn't.

Monday, 9 August 2010

Recently I've been jumping upon the LDAP bandwagon, with one of my aims to consolidate a lot of different login systems.

Configuring Linux, Apache, OpenVPN and similar things to authenticate against an LDAP server was almost painless.

Unfortunately OpenBSD is being a bit more painful, primarily because it doesn't use PAM. Instead you have two choices:

  • Configure login to authenticate against a RADIUS server, telling that server to authenticate against a (remote) LDAP server.
  • Use login_ldap to do authentication, but fetch all things via YP.

Neither solution is particularly pleasant, but the former is marginally less effort. The downside? I still have to run "adduser" to add the user to the system - which makes me think "why did I bother in the first place?"

Otherwise I spent the tail end of last week in York, taking pictures of ducks, geese, the city walls and similar things of fun.

ObQuote: "Well, well I see we have visitors... " - Hot Fuzz

| 5 comments.

 

Comments On This Entry

[gravitar] pyr

Submitted at 21:58:22 on 9 august 2010

There are a couple wrong statements in your post:
* The problem with OpenBSD isn't the lack of pam, since there is bsd_auth which is equivalent. The problem is the lack of a nsswitch like feature.
* You are missing an alternative: ypldap which provides an alternative ypserv serving yp maps from ldap, ypldap is recent but solves your current issue, you should give it a try.

[gravitar] Vincent Bernat

Submitted at 22:03:58 on 9 august 2010

Take a look at ypldap. I suppose this is in the base system now.

[author] Steve Kemp

Submitted at 22:05:42 on 9 august 2010

You both mention the use of yp_ldap, which is what I meant by "via YP".

Pyr: I guess you're right that I meant the nsswitch like feature - which means you have to use yp to lookup UID/GID/etc.

For the moment I'm going to stick to radiusd to see how that works out. It's a simpler configuration, a slightly more trusted deamon, and something I've used elsewhere.

[gravitar] James

Submitted at 06:59:58 on 10 august 2010

What doco/guides did you use to migrate to OpenLDAP? I've found most of them to be pretty dire, either cargo-cult configuration that doesn't explain anything, or references that assume you already understand how LDAP works.

[author] Steve Kemp

Submitted at 07:29:20 on 10 august 2010

I've read a couple of LDAP books, and they got me most of the understanding I needed to make the migration work.

I have to say that there were a few good guides out there - even on my site ;)

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags