From owner-freebsd-questions@freebsd.org Sat Jun 24 12:22:12 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 131B0D9DD93 for ; Sat, 24 Jun 2017 12:22:12 +0000 (UTC) (envelope-from punosevac72@gmail.com) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C61176761B for ; Sat, 24 Jun 2017 12:22:11 +0000 (UTC) (envelope-from punosevac72@gmail.com) Received: by mail-qk0-x232.google.com with SMTP id 16so52548066qkg.2 for ; Sat, 24 Jun 2017 05:22:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:user-agent; bh=AOvENUo91QpG3oCdSZaUBshSbR7l6R/UDSKQlgcCI5Q=; b=Bt+inIietT3HW9CaMZBHeOmtdvekU0vjsw7Vb3d99IrsRnU1yeYl5PqPqgWV9Kph6D R5kRXsFWWNvhZtKbVw5hJ8yj9e3mpf+e5LTnR1P57Glqsf/noc73evCZpqU3+DI0U8Q4 wbkblfjNq471WR92pbVe+0AjpWJT9qpTVRDe9aHoufrEgOvjofHreS0HOc//HbwF7exG a50XObavycz8IvU0vxosHBfBLAEZpMpTx73+w/OpUU2D2JfES5yDahvq9Y0zxdnOtBnD C4SzZzH/oy/B/QiNoXdVwtFL58s7nsgM0aCuLyho/lIjNTRL7CaYF7wmR2UcsOYejztD qm/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:user-agent; bh=AOvENUo91QpG3oCdSZaUBshSbR7l6R/UDSKQlgcCI5Q=; b=OAaWUNYL3hOxACZiHM2reG76C27tb5s/lOLK9CXq3D3Jai0khzB0xpTPGVmfTBtUXU JM+LlYEa+7O7zsPo2Wl0lEdDrNC0nRa8tNVhTcc42r4f3adOkrJ6Kp3fM/CnqUai18Q8 qU9RV26XNbRlDDO5RRS85xnNkPcVpqI0pRonNAHbVNRsoAKfNGCC34IZvBxjqmG0HpCL PcGflxzcWP8yhg1OHSDNHBrI5bdEWL2uyBPWMCa5GcOFOMCY4/ZgSoScr1yf08NugSKp sDqh3QFD16JXMcNMokWv44GrK1856rUFYOt6+7GYUnYSnISqratfrN3ZR0rLWevuF3cJ 8V5w== X-Gm-Message-State: AKS2vOx0RygO3XX4fRZIhNB3AJ+Rgh7gkFYtfuf/ysb4+Jxo6dni2t3D bLoX4NTcY0XvhtNT X-Received: by 10.55.56.133 with SMTP id f127mr15105432qka.122.1498306930683; Sat, 24 Jun 2017 05:22:10 -0700 (PDT) Received: from oko.bagdala2.net (dynamic-acs-24-101-116-96.zoominternet.net. [24.101.116.96]) by smtp.gmail.com with ESMTPSA id o93sm5342660qte.41.2017.06.24.05.22.09 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 24 Jun 2017 05:22:10 -0700 (PDT) Date: Sat, 24 Jun 2017 08:22:07 -0400 From: Predrag Punosevac To: freebsd-questions@freebsd.org Subject: Re: LDAP Authentication and Authorization Message-ID: <20170624122207.I6hhRqP9F%punosevac72@gmail.com> User-Agent: s-nail v14.8.12 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jun 2017 12:22:12 -0000 Hi Folks, Just to post the solution for the people who might stumble on my original post. I had a permission problem on the LDAP server certificate file which could not have been read by nslcd daemon. Original nslcd.conf file I posted is also not quite correct so his is the complete how-to. Note that you don't have to have openldap-client working at all to be able to authorize and authenticate to FreeBSD server using LDAP account only (ldap search will not work though). The most effective way to use PAM approach is to pkg install nss-pam-ldapd cd /usr/local/etc/ Edit nslcd.conf file to use OpenLDAP server side certificate to get user credentials. root@hera:/usr/local/etc # more nslcd.conf uid nslcd gid nslcd uri ldap://atlas.int.autonlab.org base dc=autonlab,dc=org # StartTLS ssl start_tls # CA certificates for server certificate verification tls_cacertdir /usr/local/etc/nslcd-certs tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt Note that nslcd runs as nslcd user so the file /usr/local/etc/nslcd-certs/ca.crt must be readable by nslcd daemon root@hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt -r-------- 1 nslcd nslcd 1448 Jun 23 22:21 /usr/local/etc/nslcd-certs/ca.crt enable nslcd daemon echo 'nslcd_enable="YES"' >> /etc/rc.conf start the daemon service nslcd start (note that for debugging purpose run as nslcd -d) Edit your /etc/nsswitch file and restart nsswitch root@hera:~ # more /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj $ # # group: compat group: files ldap group_compat: nis hosts: files dns netgroup: compat networks: files # passwd: compat passwd: files ldap passwd_compat: nis shells: files # services: compat services: files ldap services_compat: nis protocols: files rpc: files s/group: compat/group: files ldap/ s/passwd: compat/passwd: files ldap/ s/services: compat/services: files ldap/ To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so option root@hera:~ # more /etc/pam.d/sshd # # $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session session required pam_permit.so # password try_first_pass password sufficient /usr/local/lib/pam_ldap.so try_first_pass password required pam_unix.so no_warn try_first_pass Make sure the above uses correct format (tab separators). Note that uses will not be allowed if her/his shell (specified in LDAP data base) is not installed/linked and home directory (specified in LDAP data base) not mounted (see security/pam_mkhomedir for work around). Also LDAP server from the base of OpenBSD doesn't allow password change. Enjoy, Predrag