DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th March 2011
ComputerErik ComputerErik is offline
New User
 
Join Date: Mar 2011
Location: NYC
Posts: 3
Default Active Directory Authentication

I am just getting started with OpenBSD and have been doing a lot of reading, I have been through all of the FAQs and man pages. At this point I have a system which I did a base install on about a year ago (4.7 release), which I have updated to 4.7 stable. I am now looking at the process to upgrade this to 4.8, but that is for another day.

My immediate interest is being able to manage users on all platforms (Windows, Linux, BSD) from a central location. Now since Windows doesn't really offer much flexibility if I want some of the features I need I am forced into maintaining a Windows Active Directory domain. A few years back I did some extensive work in testing various methods of accomplishing the goal of authenticating Linux users to an Active Directory domain. My conclusion was that while possible to do this with only native packages (Kerberos, Samba, Winbind) the result was unreliable, more management overhead than needed, and I couldn't restrict logins by group. I did find some free third party solutions that allow me to do all of this easily and reliably (Centrify and Likewise if you are interested). Now fast forward and I am looking to add OpenBSD to the mix. None of the tools I normally use support OpenBSD.

So I did my research and found that OpenBSD supports all of the required protocols to do this natively as in Windows, but in a few postings on blogs etc. found that others reported issues with this method. I know that any information outside of the FAQ or man pages is not to be trusted, but since it seemed to fit with my prior experiences it seems reasonable. Among the articles I read was one which took a slightly different approach, using Kerberos for authentication and the passwd file for user management locally. As my previous Linux tests the problems all seemed to revolve around Samba/Winbind pulling user information from AD this seemed like a reasonable approach to the problem. So I proceeded to follow the man pages and setup a krb5.conf file, and added required SRV records to my zone file. I am now able to easily and reliably use a password stored in a Windows domain to login to my OpenBSD system. While this is not an ideal solution (I need to create local accounts for all users) it is better than using only a passwd file.

Has anyone come across any third party or native method which allows an OpenBSD system to pull user account and password information from a Windows domain, and also restrict logins based on Windows group membership? The group membership restriction is especially important as I am looking to use OpenBSD only for secured systems where only a select few will have login permission.

Thanks in advance for any insight.
Reply With Quote
  #2   (View Single Post)  
Old 20th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I never used it, so I am not sure whether http://openports.se/sysutils/login_ldap provides the required group granularity.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st March 2011
ComputerErik ComputerErik is offline
New User
 
Join Date: Mar 2011
Location: NYC
Posts: 3
Default

Thanks I will check this out and see if it does what I need. Unfortunately though it looks like it might not be very active as the last update was a few years ago.
Reply With Quote
  #4   (View Single Post)  
Old 20th May 2011
ComputerErik ComputerErik is offline
New User
 
Join Date: Mar 2011
Location: NYC
Posts: 3
Default

I thought I would loop back and update here in case anyone else in the future has questions on this. I eventually did try the login_ldap (which is available as a package as well) and while it does work and is well documented in the man pages it still has some limitations.

I was hoping for something which would allow the use of the LDAP directory to lookup user accounts instead of the passwd file. This is not the case, you still need to make an entry for all users (again the man page gives an example). It does however appear that it allows fairly specific filtering based on LDAP groups, however given an entry needs to be made on the local system it seems somewhat moot.

Further it seems that the login_ldap goes further than just verifying a user, it will actually do the authentication as well. I have not tested very extensively but I have a hunch that it might send clear text passwords if your LDAP server is not setup for SSL only logins. Given this it seems the kerberos is the better way to go for now.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NTLM Authentication plexter FreeBSD Security 1 7th January 2011 08:43 PM
strange "~" directory in home directory gosha OpenBSD General 5 23rd February 2009 06:12 PM
Copy w/ active verification Weaseal FreeBSD General 4 5th February 2009 12:23 AM
USB keyboard/mouse not active after boot teig FreeBSD General 9 27th October 2008 04:20 PM
openldap for authentication rajendra_nagi FreeBSD General 9 17th July 2008 06:43 PM


All times are GMT. The time now is 03:52 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick