Making OpenBSD as a LDAP Client
install login_ldap
package:
# pkg_add login_ldap
After sucessfulling
installing the “login_ldap” package open
# nano
/etc/login.conf
And append the following
lines in the last to make it authenticate via LDAP
ldap:\
:auth=-ldap:\
:x-ldap-server=ip of ldap server,,:\
:x-ldap-basedn=dc=your,dc=domain,dc=name:\
:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
:tc=default:
look
for details: man login_ldap
test it
with:
# /usr/libexec/auth/login_-ldap
-d -s login LDAP_USER ldap
Provide
a existing LDAP username in place of LDAP_USER and then it will ask for
password, provide it and it will display information and at the very last it
will show “user bind success”, it means till now we are going great.
Now
configuring YPLDAP
as OpenBSD has great
support for YP using of ypldap provides soft integration of LDAP server.
use example in man: man
ypldap.conf
configure it in
configure it in
# nano /etc/ypldap.conf
you should have
something like this:
# $OpenBSD: ypldap.conf,v 1.2
2011/08/28 11:53:16 aschrijver Exp $
domain "your domain name"
interval 60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
directory "ip of ldap server" {
# directory options
binddn "cn=root,dc=your,dc=domain,dc=name"
bindcred "secret"
basedn "dc=your,dc=domain,dc=name"
# passwd maps configuration (RFC 2307 posixAccount object class)
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "ldap"
# group maps configuration (RFC 2307 posixGroup object class)
group filter "(objectClass=posixGroup)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
# memberUid returns multiple group members
list groupmembers maps to "memberUid"
}
test it
with:
# ypldap –dv
It
should display the ldap users and information and if it don't shows or you get any error don't panic just continue the further steps.
We
should also keep in mind that here the setup is not over ssl.
Next setting
‘ypbind’ – create and maintain a binding to a YP server
add
your domainname to /etc/defaultdomain
# echo ‘yourdomainname’ > /etc/defaultdomain
the
standard way to enable YP passwd support in /etc/master.passwd is to add
string: +:::::::::/bin/ksh
# nano /etc/master.passwd
At very
last add:
+:::::::::/bin/ksh
Now
# nano /etc/groups
At very last add:
+:::
Now
update the db of master.passwd :
# pwd_mkdb –p
/etc/master.passwd
For
automatic execution :
# nano /etc/rc
Search
for ypldap, I think may be you should find it somewhere on line 414
Something
like this near the ypldap, if we do not do this ‘ypbind’ will run before
‘ypldap’ and which will stuck our system at boot
start_daemon portmap
if [ X"`domainname`" != X"" ]; then
start_daemon
ypserv ypbind yppasswdd
fi
start_daemon ypldap mountd nfsd lockd statd amd
make it
look like this:
start_daemon portmap
start_daemon ypldap mountd nfsd lockd statd amd
if [ X"`domainname`" != X"" ]; then
start_daemon
ypserv ypbind yppasswdd
fi
in
simple word we are moving the location of the line
“start_daemon ypldap mountd nfsd lockd statd
amd”
before
:
“if [ X"`domainname`" !=
X"" ]; then
start_daemon ypserv ypbind yppasswdd
fi”
run
ypbind before ypldap and also we have to specify this in /etc/rc.local
# nano /etc/rc.local
if [ X"${ypldap_flags}" !=
X"NO" ]; then
echo -n ' ypldap'; /usr/sbin/ypldap
${ypldap_flags} 1> /dev/null
echo -n ' ypbind'; ypbind
fi
And to
/etc/rc.conf.local:
# nano /etc/rc.conf.local
portmap=YES
ypldap_flags=""
now the last and important thing
Reboot.
Good luck, guys.
No comments:
Post a Comment