OpenBSD Journal

Authentication of users using LDAP via RADIUS

Contributed by Dengue on from the implementation dept.

LDAP authentication of user accounts on OpenBSD has been brought up on misc@ a number of times in the past. This happens to really interest me because, I'm into directories. It's shameful and awkward, but what can I say?

In the absence of a login_ldap module for bsd_auth(3) , and upon learning that FreeRADIUS supports LDAP as a backend, I decided to explore the use of login_radius(8) as a means of authenticating user accounts on OpenBSD against a central LDAP directory.

As an added bonus, it worked. You can read "Authentication of user accounts on OpenBSD using LDAP via RADIUS" , at my other home .


(Comments are closed)

  1. By Jedi/Sector One () on

    Thanks a lot for your trick!

    I had been looking for that for months.

    And your web page is clear and explains everything, step by step. Congratulations.

  2. By David () on

    Nah... LDAP is the future. LDAP over SSL for a centralized authentication kicks a whole lot of behind. It basically offers the features of NIS, without the security holes you can drive a truck through. LDAP is way more flexible and useful as well.

  3. By panda () on

    Image your /home is mounted over {NFS,SAMBA,CODA,
    you preferred network FS here}, with files belonging
    to other users in the ldap directory (their homes are here
    too !). type ls -l, and oh surprise, you can only see
    numbers there.

    the big chunk of work would be to migrate the old
    and unmodular getpwent and getgrent to a more
    nsswitch like scheme, with support for additional
    name and group resolving methods.

    what do you all think ?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]