3. How to integrate Active Directory with OpenBSD using ypldap and login_ldap?

How to integrate Active Directory with OpenBSD using ypldap and login_ldap?

Like you mentioned, the first kind-of problem in doing this with OpenBSD is that Kerberos is gone as of April 25, 2014. From the commit ... :

The complexity and quality of kerberosV and the fact that almost nobody is using it doesn't justify to have it in base - disable and remove it. If the 2 two people who use it still want it, they can make a port or recompile OpenBSD on their own.

There is a quote in theo.c from August 2010: "basically, dung beetles fucking. that's what kerberosV + openssl is like".

Discussed with many. Tests by henning@ reyk@ and others. ok deraadt@ henning@

That said, there's nothing stopping you from building it yourself from source.

Essentially, you have three basic requirements here to accomplish this ... :

  1. get ldap working ... maybe something like this
  2. build kerberos client from source
  3. build (if not available) msktutil and use that join an AD domain and get Kerberos data from AD

If you can get that sorted, the other things you'll want to look at are ... :

  • prompting for Kerberos ticket renewal as required instead of just bombing out
  • destroying Kerberos credentials on logout
  • forwarding credentials via SSH (if you need that sort of thing)
  • prompting for initial password change on first login
  • being able to change your own AD password, in general, and noone elses ...
  • Kerberos-backed NFSv4 ... you'll envy the dead while you find your way through this

Unfortunately, I've never done this with OpenLDAP. RHEL\Centos and Debian, all the time. So, my knowledge is limited at best.

Best of luck.

/r/sysadmin Thread
Previous
Next

Recently removed from /r/sysadmin

I know of a crazy vulnerable Exchange server at my old work. What to do? Details inside. Intune Windows LAPS - Configuration Profile Applies Successfully, Yet Nothing Happens...Why? Woman starting in IT next month. Should I be worried or not? How to run a meaningful CyberSecurity Risk Workshop/Assesment Amazon Outage I don't know what I'm doing and I need help What's the point of using BitLocker with TPM instead of password when someone can always access your computer without entering a password on boot? How many of you despise IoT? Onboarding 1200 New Users - how to communicate passwords? Gen Z also doesn't understand desktops. after decades of boomers going "Y NO WORK U MAKE IT GO" it's really, really sad to think the new generation might do the same thing to all of us Modern SQL Express Backup Solution [GA] Employee claims she can't use Microsoft Windows for "Religious Reasons" So I got a "correctional talk" yesterday. Rant about new age "senior" IT "specialists" who don't know how to wipe their butt. Do you think remote work is slowly dying? Most companies seem to be pushing RTO, even big tech you folks think ?

More Random Comments

I guess it's our fault for wanting representation in a capitalist society For coming to my ex house uninvited. Deku: "Ok there's no way at masters 1 I should be getting PLAT supports on my team in comp, wtf is this matchmaking ??????" Not walking a girl to her car Depanneur on Wythe & N. 3rd in Williamsburg has been ripping off customer 22-28% in hidden surcharges. Corporate greed is out of control For people who have SO’s in different continents, how long are your stays? And where do you draw a line for minimum days to stay with them? Weekly /r/Breadit Questions thread Fragrances that YOU hate, but that others like on you? Can a method assert that a field is not null afterwards? Daily Discussion - (October 18, 2022) How can he make comments when he was not even there for the committee hearings on inflation? Activision Blizzard why? Who Would Win? Trained Fighter vs. Heavy Untrained Person in Fight What’s your favorite imaginary rapid name?