OpenBSD Journal

Authentication of user accounts using LDAP

Contributed by jose on from the documentation dept.

Josh Steele writes:
"Good article/how-to for those interested: "

I'm sure a lot of people with big sites who use LDAP will be happy to see this. A much easier way to coordinate logins.

(Comments are closed)

  1. By Jeroen () on

    login_ldap might me interesting:

    You still need entries in /etc/passwd because OpenBSD lacks nsswitch. Means double work, just like in the tutorial above :(

  2. By blackmage () on

    not a recent article.

    see login_ldap if you want do it directly.

    or best kerberos for auth and LDAP for the rest.

  3. By Anonymous Coward () on

    Duh. This is already on See

  4. By click46 () on

    ...but why would one want to use LDAP? I'll admit I know barely anything about LDAP [I keep forgetting what the A stands for...heh] but whenever I come across an article about it, I've never gone "oh snap, now that would be cool". So tell me, why should someone use LDAP?

    1. By Anonymous Coward () on

      cause that would be cool. ;-)

    2. By Anonymous Coward () on

      cause that would be cool. ;-) Doh, screwed up on the /i

    3. By atmos () on might help. It's just the nicities of centralized authentication, easier then maintaining passwd files on multiple boxes. Say you have a box running authpf acting as a wireless gateway. You also have an LDAP server handling your user map for the unix systems on your network. You could use your network wide logins to authenticate on the authpf machine, and it's less of a pain for the administrator and the user. If you were looking to do something like that, you might say "oh snap, now that would be cool."

      1. By click46 () on

        but don't "directory" serivces have a lot more "fat" that just simple user authentication? I mean, technically I can do that with PAM and pgsql ;)

        /me reads

        1. By Peter () on

          That's because one can do much more with LDAP: I use it for authentication of my users for Linux, OpenBSD, FreeBSD, Apache, Squid, Sendmail plus I have a uptodate company phonebook.

          All my users are created once (well, actually, their accounts are created once :-D ).


          1. By click46 () on

            ahh, but thats exactly my point. If I have no need for a company phonebook, then I can use pgsql and PAM to authenticate for Leenux, BSD, apache, squid, sendmail, ad nausem... without the phonebook "fat" :D

            1. By Strog () on

              psql isn't any lighter. Sure, you could do it either way. LDAP is a very flexible solution when combined with strong auth solutions. I think it has fairly untapped potential. I think Novell and Microsoft had the right idea with Directory Services. I might not necessarily agree with implementations but they are good. You can do so much more than user info and phone book.

            2. By Anonymous Coward () on

              In a network under a couple hundred users, yeah LDAP is probably overkill. But in a large heterogenous network, it makes a lot of sense. Having a hierarchical directory to manage authentication, network mounts, printer services, user and machine groups, a contacts directory, etc. etc. all in one place can significantly decrease the costs of administration and support in a large enterprise or academic environment.
              Additionally, in an enterprise environment, commercial support is important. And LDAP is where many of the big vendors are going.

              At a lot of places with a strong unix userbase, NIS has been the standard for years for this purpose. In my experience, LDAP is increasingly becoming the solution to which many of these shops migrate.

            3. By atmos () on

              pgsql suport ssl, that's a feature I'm quite fond of.

              1. By atmos () on

                err. I'm retarded, but does pgsql support ssl? that's what i meant to type there, but clicked submit without reading what I had typed. OpenLDAP's TLS/SSL stuff would be a reason I'd take LDAP over a DBMS.

                1. By click46 () on

                  yes, it does support TLS/SSL

            4. By Dan () on

              But you cannot buy off-the-shelf products which have support for PGSQL authentication. LDAP is an Internet standard, SQL is not. LDAP schema is an Internet standard, SQL schema is not. Many products support LDAP authentication and management without the need for PAM or other middleware. Furthemore, LDAP is an electronic equivalent of Rolodex, much more suitable for managing people information than a relational database. And did I mention that many applications support it out of the box?

              1. By Lars Hansson () on

                LDAP is a protocol, SQL is a languate.
                You're all comparing apples and oranges.
                It would be perfectly possible to create a LDAP server that uses postgresql, mysql or what-have-you as a backend. OpenLDAP uses berkeleydb as a backend.
                LDAP and SQL (or more correct relational databases) are not mutually exlusive but could, and often is, part of a bigger solution. You could, for example, have an LDAP server with a relational backend coupled with a kerberos server with an LDAP backend.

                SQL /is/ a standard btw.

  5. By mra () on

    I've been interested in deploying an LDAP based auth system but everytime I find documentation on how to go about doing it always seems to say: "Get a RadHat box runnning OpenLDAP and FreeRADIUS."

    Maybe it's just me, but I'd like to keep Linux, and RedHat even moreso, far away from my Authentication structure. There is a reason why I run OpenBSD :)

    I was looking through the ports tree and saw two different RADIUS servers; lucent and cistron. Is there any reason why one should not be using these servers?

  6. By Dichque () on

    Am waiting for long time hoping obsd would include some kind of PAM support.

    Any idea why the obsd guys decided not to go with PAM ??

    Thanks for the link ..



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]