OpenBSD Journal

LDAP and OpenBSD?

Contributed by Dengue on from the slapd-and-slurpd dept.

Seer Snively writes : "Okay, so I'm redesigning the network at work with security and simplicity in mind. We have a few web apps, a couple OpenBSD boxen, some linux, and every tech/agent is on NT. Each box has a different username and password combo, and I've been reading a lot about implementing LDAP to solve the multi-login problem. Samba now uses a LDAP backend (for NT domain auth), Linux has got PAM, our web apps now include mod_ldap_auth, but what about the OpenBSD boxen? Is there a way (short of rewriting login from scratch) to make OpenBSD auth users from an external LDAP server? "

(Comments are closed)

Comments

  1. By james phillips () dengue@ on file:/dev/null

    Have you thought of writing an application that checks the modification timestamps of ldap attributes and in the case of change, uses that to sync the password databases on your OpenBSD hosts with ldap? I have heard some rumours of work on a more extensible authentication mechanism for OBSD, but don't know what the state of that is.

    O'Reilly's Perl for System Administrators has an example of a user database using XML as it's datastore, and numerous examples of using Perl to manage LDAP directories. Perhaps the two examples could be combined in such a way as to allow a "server push" when an ldap attribute timestamp has changed, and propogate that change out to /etc/passwd .

    iPlanet's Meta Directory and Unified User Management suite operate on that principle I believe using the PerLDAP module (Mozilla::LDAP).

  2. By gronk u lator () gronkulator@yahoo.com on mailto:gronkulator@yahoo.com

    There are several utilities to convert an LDAP naming service directory (one that implements RFC 2307) into either NIS maps, or the actual NIS service. My suggestion is that you go with one of these until OpenBSD gets PAM or an nsswitch mechanism like Solaris or Linux.

  3. By anon-for-today () anon@nopam.net on NA

    cd /usr/ports/databases/openladp
    make && make install

  4. By XTernal () xternal1@yahoo.com on mailto:xternal1@yahoo.com

    Given the use of OpenBSD, chances are you would use OpenLDAP as a server. As I see it, there is a big problem with that. Last I checked, the 2.x series was not declared stable. Problem is, 1.x doesn't include SSL support, so, you are likely stuck running a development version, or, running a 1.x through an SSL wrapper. Neither of which I find a very savory idea.

    I think that http://www.padl.com/software.html has some interesting software that would address your needs, most specifically PAM LDAP and NSS LDAP. Neither lists OpenBSD under platform support, but, it may still work.

  5. By Klaus-Hendrik Wolf () K-H.Wolf@ifmi.org on mailto:K-H.Wolf@ifmi.org

    Maybe you should have a look at this article
    http://archives.neohapsis.com/archives/openbsd/2002-10/0592.html
    There are links to two pages explaining how to authentificate through LDAP.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]