Authenticate OpenBSD users on QNAP LDAP

    

I wanted to share users authentication and permissions between the QNAP TS-453mini and my OpenBSD servers. An option is to enable and manage LDAP server on the QNAP and configure OpenBSD 6.0 to authenticate the users on the remote LDAP service.

Setting up authentication

The first thing to do is to enable and populate the LDAP server on the QNAP QTS 4.2. This is quite straight forward and I won’t describe it here. The important thing is how it is organized:

# tumfatig.net
dn: dc=tumfatig,dc=net
dc: tumfatig
objectClass: domain

# people, tumfatig.net
dn: ou=people,dc=tumfatig,dc=net
ou: people
objectClass: organizationalUnit

# group, tumfatig.net
dn: ou=group,dc=tumfatig,dc=net
ou: group
objectClass: organizationalUnit

When managed from the graphical interface, users and groups look like this:

# Domain Users, group, tumfatig.net
dn: cn=Domain Users,ou=group,dc=tumfatig,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
objectClass: apple-group
cn: Domain Users
gidNumber: 1000000
sambaGroupType: 2
sambaSID: S-1-5-21-3847125316-3825622280-2691688412-3000
displayName: Domain Users
description: default user group
memberUid: user1
memberUid: user2

# user1, people, tumfatig.net
dn: uid=user1,ou=people,dc=tumfatig,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: apple-user
cn: user1
sn: user1
uid: user1
uidNumber: 1000005
gidNumber: 1000000
userPassword:: secret=
homeDirectory: /home/user1
gecos: Test User 1
shadowLastChange: 17051
shadowMin: 100000
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
shadowInactive: 0
shadowFlag: 0
displayName: user1
sambaSID: S-1-5-21-3883165316-3274086340-2626348712-1025
sambaLMPassword: 03A59SS013D3K75D591548B643632432
sambaNTPassword: 44K6X43DE66SCA5C41J52D1DD3B2F779
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1473240496
sambaAcctFlags: [U ]
sambaKickoffTime: 0

When all the users and groups are created in LDAP, the OpenBSD server can be configured.

First of all, install the `` package and configure the login process:

# pkg_add login_ldap
# vim /etc/login.conf
(...)
ldap:\
        :auth=-ldap:\
        :x-ldap-server=qnap.tumfatig.net,,ssl:\
        :x-ldap-binddn=uid=srv_account,ou=people,dc=tumfatig,dc=net:\
        :x-ldap-bindpw=secret:\
        :x-ldap-basedn=ou=people,dc=tumfatig,dc=net:\
        :x-ldap-filter=(&(objectClass=posixAccount)(uid=%u)):\
        :x-ldap-groupdn=ou=group,dc=tumfatig,dc=net:\
        :x-ldap-groupfilter=(&(objectClass=posixGroup)(memberUid=%u)):\
        :tc=default:

# cap_mkdb /etc/login.conf

You can check that the LDAP configuration is correct using the following command:

# /usr/libexec/auth/login_-ldap -d -s login user1 ldap
(...)
userdn uid=user1,ou=people,dc=tumfatig,dc=net
user bind success!
(...)
group filter matched!
authorize

Note that you don’t need to use the admin LDAP credentials for initial binding/search.

Add the YP markers to passwd and group files:

# echo '+:*::::::::' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
# echo '+:*::' >> /etc/group

Set the YP domain:

# echo 'tumfatig.net' > /etc/defaultdomain
# domainname tumfatig.net

Then, configure the YP / LDAP mapping daemon:

# cp /etc/examples/ypldap.conf /etc/
# chmod 0600 /etc/ypldap.conf

--- /etc/examples/ypldap.conf   Tue Jul 26 20:47:31 2016
+++ /etc/ypldap.conf    Wed Sep  7 22:21:57 2016
@@ -2,3 +2,3 @@

-domain         "example.com"
+domain         "tumfatig.net"
 interval       60
@@ -10,9 +10,9 @@

-directory "127.0.0.1" {
+directory "qnap.tumfatig.net" {
        # directory options
-       binddn "cn=admin,dc=example,dc=com"
-       bindcred "secret"
-       basedn "dc=example,dc=com"
+       binddn "uid=srv_account,ou=people,dc=tumfatig,dc=net"
+       bindcred "secret"
+       basedn "dc=tumfatig,dc=net"
        # starting point for groups directory search, default to basedn
-       #groupdn "ou=Groups,dc=example,dc=com"
+       #groupdn "ou=group,dc=tumfatig,dc=net"

@@ -27,6 +27,6 @@
        attribute home maps to "homeDirectory"
-       attribute shell maps to "loginShell"
+       fixed attribute shell "/bin/ksh"
        fixed attribute change "0"
        fixed attribute expire "0"
-       fixed attribute class ""
+       fixed attribute class "ldap"

Finally, start the daemons:

# rcctl enable portmap
# rcctl start portmap
portmap(ok)
# rcctl enable ypldap
# rcctl start ypldap
ypldap(ok)
# rcctl enable ypbind
# rcctl start ypbind
ypbind(ok)

If everything works well, you can see the LDAP users and groups:

# getent passwd | tail
_radiusd:*:105:105:RADIUS Daemon:/var/empty:/sbin/nologin
_eigrpd:*:106:106:EIGRP Daemon:/var/empty:/sbin/nologin
_vmd:*:107:107:VM Daemon:/var/empty:/sbin/nologin
_tftp_proxy:*:108:108:tftp proxy daemon:/nonexistent:/sbin/nologin
_ftp_proxy:*:109:109:ftp proxy daemon:/nonexistent:/sbin/nologin
_sndiop:*:110:110:sndio privileged user:/var/empty:/sbin/nologin
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
user1:*:1000001:1000000:user1:/home/user1:/bin/ksh
user2:*:1000002:1000000:user2:/home/user2:/bin/ksh
user3:*:1000005:1000000:user3:/home/user3:/bin/ksh

# getent group | tail
_ftp_proxy:*:109
_sndiop:*:110
dialer:*:117
nogroup:*:32766
nobody:*:32767
Domain Users:*:1000000:user1,user2,user3
SSH Allowed:*:1000005:user3

The users will be allowed to login and applications can filter permissions using groups. For example, OpenSSH can be configured as such:

# vim /etc/ssh/sshd_config
(...)
AllowGroups "SSH Allowed"

Note that LDAP users won’t have their home directories automatically created on the OpenBSD server. But, those are created on the QNAP, under the “/homes” share. If you allow NFS sharing on the QNAP, the directory can be used to host user’s files from OpenBSD ; either manually or by using amd(8):

# mkdir /home/users3
# mount -t nfs qnap:/homes/users /home/users3

And that’s all. What’s nice is that, now, any daemon can authenticate the LDAP users without even knowing about the LDAP protocol. Enjoy!

Sources :