Index | Thread | Search

From:
Chaz Kettleson <chaz@pyr3x.com>
Subject:
Re: invalid login_ldap.conf example
To:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc:
tech@openbsd.org
Date:
Mon, 16 Feb 2026 11:57:33 -0500

Download raw body.

Thread 
On Mon, Feb 16, 2026 at 04:20:40PM +0100, Claudio Jeker wrote:
> On Mon, Feb 16, 2026 at 09:49:54AM -0500, Chaz Kettleson wrote:
> > Hello,
> > 
> > I've been playing with setting up LDAP with ldapd(8) for authentication.
> > Using the example login_ldap.conf there is a colon and line continuation
> > between binddn and bindpw. Initially I thought this was for a
> > 'user:password' setup, but it appears that is not the case. I've been
> > able to get it to work by removing the ':\'. Adding 'ldap' as an
> > authentication style in login.conf, authentication succeeds.
> > 
> > While we are here, update the example to be more in line with other
> > examples using "example.com". Also, use posixAccount/uid instead of the
> > more AD specific user/sAMAccountName. This is also in line with what the
> > example ypldap.conf uses.
> > 
> > -- 
> > Chaz
> > 
> > diff --git i/etc/examples/login_ldap.conf w/etc/examples/login_ldap.conf
> > index 4f4e9381b4b..ab5f7203d15 100644
> > --- i/etc/examples/login_ldap.conf
> > +++ w/etc/examples/login_ldap.conf
> > @@ -2,7 +2,7 @@ host=ldap+tls://1.2.3.4:8389
> >  host=ldap://localhost
> >  cacert=/etc/ssl/ca-ldap.pem
> >  scope=sub
> > -basedn=dc=openbsd,dc=org
> > -binddn=cn=admin,dc=openbsd,dc=org:\
> > +basedn=dc=example,dc=com
> > +binddn=cn=admin,dc=example,dc=com
> >  bindpw=password
> > -filter=(&(objectClass=user)(sAMAccountName=%u))
> > +filter=(&(objectClass=posixAccount)(uid=%u))
> > 
> 
> This file format supports comments with '#' so maybe the example file
> should include both filters with a comment.
> Apart from the OK from me.
> 
> -- 
> :wq Claudio
> 

Sure.

-- 
Chaz

diff --git i/etc/examples/login_ldap.conf w/etc/examples/login_ldap.conf
index 4f4e9381b4b..3254fc26d59 100644
--- i/etc/examples/login_ldap.conf
+++ w/etc/examples/login_ldap.conf
@@ -2,7 +2,10 @@ host=ldap+tls://1.2.3.4:8389
 host=ldap://localhost
 cacert=/etc/ssl/ca-ldap.pem
 scope=sub
-basedn=dc=openbsd,dc=org
-binddn=cn=admin,dc=openbsd,dc=org:\
+basedn=dc=example,dc=com
+binddn=cn=admin,dc=example,dc=com
 bindpw=password
-filter=(&(objectClass=user)(sAMAccountName=%u))
+# Filter for RFC 2307 POSIX accounts
+filter=(&(objectClass=posixAccount)(uid=%u))
+# Filter for Microsoft Active Directory accounts
+#filter=(&(objectClass=user)(sAMAccountName=%u))