This post will clarify in the simplest way how to authenticate an OpenBSD login using LDAP accounts. This procedure was tested with an OpenBSD 4.2 and a LDAP directory running in RHL. This does not mean it won’t work with any other Unix system or any other LDAP implementation.

We will need to install login_ldap in the client machine. Once done, we configure it by editing /etc/login.ldap file. Let’s add the following:

ldap:\
:auth=-ldap:\
:x-ldap-server=[server_ip_address]:\
:x-ldap-port=[ldap_port]:\
:x-ldap-basedn=ou=[People],dc=[domain],dc=[root]:\
:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
:tc=default:

Yes please, replace content in brackets with your applicable data. Then we will need a local user in the machine with the same loginname as LDAP user. To achieve this:

useradd -m -d /home/[user] -s /bin/sh -L ldap -u [1010] [user]

Matching between LDAP and local user loginname and UID is mandatory. Besides we need to specify the account type as Posix.

If we want to provide the user with admin privileges, we will need to add it to wheel group, so it will be local root. Besides if we want this user to beable to sudo, then it should be referenced in /etc/sudoers file.