Centralized Authentication with OpenBSD and OpenLDAP

If you have a lot of servers and a lot of users, you do not want to manage them via editing passwd files. Using LDAP is one way out of the dilemma. Searching the web resulted in a lot of outdated information, but after a while I found something helpful on a mailing list, so thanks Gary ;)

Here are my steps to success:

  1. Install login_ldap which is used to provide the authentication via LDAP, e.g. logins and stuff.
    pkg_add -iv login_ldap
  2. Append the following to the /etc/login.conf.
  3. Ypldap is used to fetch additional information from LDAP, like the home directories of the users or group information. My /etc/ypldap.conf:
    # : ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp 
    domain    "devrandom.se"
    interval  60
    provide map "passwd.byname"
    provide map "passwd.byuid"
    provide map "group.byname"
    provide map "group.bygid"
    directory "ldap.server.devrandom.se" {
      basedn "dc=devrandom,dc=se"
      # passwd maps configuration (RFC 2307 posixAccount object class)
      passwd filter "(objectClass=posixAccount)"
      attribute name maps to "uid"
      fixed attribute passwd "*"
      attribute uid maps to "uidNumber"
      attribute gid maps to "gidNumber"
      attribute gecos maps to "cn"
      attribute home maps to "homeDirectory"
      attribute shell maps to "loginShell"
      fixed attribute change "0"
      fixed attribute expire "0"
      fixed attribute class "ldap"
      # group maps configuration (RFC 2307 posixGroup object class)
      group filter "(objectClass=posixGroup)"
      attribute groupname maps to "cn"
      fixed attribute grouppasswd "*"
      attribute groupgid maps to "gidNumber"
      # memberUid returns multiple group members
      list groupmembers maps to "memberUid"
  4. It is very important to set the fixed attribute class "ldap" line, as indicates that this user should authenticate using login_ldap.
  5. Now we need to configure the domain.
    domainname devrandom.se
    echo devrandom.se > /etc/defaultdomain
  6. Next step is to tell the system that additional users and groups are supplied by YP. Appending a line to the /etc/passwd and /etc/group should do the job. It is advisable to use vipw to edit those files. Append /etc/passwd:

    Append to /etc/group:

  7. Enable the services in the /etc/rc.conf.local and reboot.