This is a very incomplete work in progress.
Since 4.8, OpenBSD comes with a simple ldapd(8) with just what's needed for user authentication (currently working with ownCloud and Wordpress).
$ sudo pkg_add openldap-server
# /etc/openldap/slapd.conf ... pidfile /var/run/slapd.pid argsfile /var/run/slapd.args ... suffix "dc=narf,dc=net" rootdn "cn=Manager,dc=narf,dc=net" rootpw {SSHA}SEE_BELOW
The root password is generated using slappasswd
.
$ /usr/local/sbin/slappasswd New password: Re-enter new password: {SSHA}SEE_BELOW
The files in /var/run
have to be created beforehand
$ sudo touch /var/run/slapd.{pid,args} $ sudo chown _openldap:_openldap /var/run/slapd.{pid,args}
# /etc/rc.local ... if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then install -d -o _openldap /var/run/openldap /usr/local/libexec/slapd $slapd_flags echo -n ' slapd' fi
# /etc/rc.conf.local ... slapd_flags="-u _openldap" # -h ldap:// ldaps://
$ sudo pkg_add openldap-client
# /etc/openldap/ldap.conf ... BASE dc=narf, dc=net URI ldap://ldap.narf.ssji.net # I'd like to *really* have narf.net...
$ ldapsearch -x -b 'dc=narf,dc=net' '(objectclass=*)'
# /etc/changelist ... +/etc/openldap/sldap.conf /etc/openldap/ldap.conf
Last time this solution was tried, on the LDAP-server running machine, it resulted in lockups at boot as the system hung trying to get users entry from the not-started-yet LDAP server.
This GIST in Python
>>> import openldap_passwd >>> openldap_passwd.make_secret("correcthorsebatterystaples") '{SSHA}A+DN5tKvr8YNPoh9RCDxQ1m2ZqOu8O7z'
$ XXXX < EOF dn: cn=Alice, ou=Users, o=example, c=com changetype: modify replace: userPassword userPassword: {SSHA}A+DN5tKvr8YNPoh9RCDxQ1m2ZqOu8O7z EOF