On 2022/05/20 16:27, helmut.kiessl...@btinternet.com wrote:
> Hi Stuart,
>
> Thanks for pointing out login.conf - indeed ldap was some reason missing
> which is odd as in 70 it was automatically added there when installed
> package?
Nothing has ever been automatically added to login.conf when installing
a package. (And it shouldn't be automatically changed on upgrade unless
the file was unmodified).
The main thing that could account for this is if you ran sysmerge and
selected the option to install a new file overwriting the old.
> Anyway I added it there but still the same error "sshd: ldap:
> unknown class".
I think most likely you have an /etc/login.conf.db file which hasn't been
updated to match the addition. I suggest removing completely, it mostly
just gets in the way, it is not like it takes very long to parse on a
modern computer.
> I'm using this "login_ldap-3.51p8". I included login.conf and masked
> company and hostnames.
Config looks right for the login_ldap package. Though you may like to
switch to the login_ldap version which is in OpenBSD base; I don't like
relying on ports for things affecting login if you can help it. If you
want to do that, you can use config like this - in login.conf
ldap:\
:auth=ldap:\
:tc=daemon:
and in login_ldap.conf
host=ldaps://hostname.company.com
basedn=dc=company,dc=com
filter=(&(objectclass=posixAccount)(uid=%u))
timeout=5
scope=sub
cacert=/etc/openldap/certs/company-ca.pem
