From owner-freebsd-questions@FreeBSD.ORG Fri Jul 11 14:56:22 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6921065679 for ; Fri, 11 Jul 2008 14:56:22 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2E5928FC1E for ; Fri, 11 Jul 2008 14:56:21 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so2195181pyb.10 for ; Fri, 11 Jul 2008 07:56:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:mime-version:content-type:content-transfer-encoding :content-disposition; bh=ueCdZADAn89DlpHYXDsGLP7rpg5DrqzYM/ZYa7TPeqI=; b=B46Q4et37fq/YciQzeqQm1JU10wcXUZad3zGGR2HZFHEUH6Jsj20AmqWTM68aOKFDG kRG5xvQHuOLdZigcyZj/ziS0zmBiBY5cUH0c5CO2UQkz2nRN3Cr3KwDOQYCo4bUjj1IN cTlJCFICUWfH/5gM4afZBcg9rx/AYDlu/OgU4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type :content-transfer-encoding:content-disposition; b=opQtWvoBo4k5+vaLbKk+T1WLQVyOpQszHtQOXsNBNgMkrgfuFTEICsDzELO9bsx05s UZuoMN0R9ijCEipgo9WAeEsI1fIJSeD7SRHh0Pvu02LfojP5L3ZL1GTBAwjYoThRy6Da 8sczhhHuoGbqE0YozQbfVeTF18czhKg2G8Qr8= Received: by 10.115.19.16 with SMTP id w16mr14012883wai.102.1215788180757; Fri, 11 Jul 2008 07:56:20 -0700 (PDT) Received: by 10.141.19.8 with HTTP; Fri, 11 Jul 2008 07:56:20 -0700 (PDT) Message-ID: <226ae0c60807110756g5fc4fe29u5c4d427f1362d56e@mail.gmail.com> Date: Fri, 11 Jul 2008 10:56:20 -0400 From: "David Robillard" To: sgmayo@mail.bloomfield.k12.mo.us MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Tim Judd , FreeBSD Questions Subject: Re: Ldap NSS PAM Samba X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 14:56:22 -0000 >> I am trying to setup a FreeBSD server with samba that uses OpenLdap. I >> have installed everything and was doing some configuring. I set this all >> up once before on a Linux box, but I basically just went through the >> motions and really was not sure what all I did...but it worked. Now I >> want to understand everything so that I know exactly what all I did. :) >> >> I have the following: >> I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. >> I installed PAM which put ldap.conf.dist in /usr/local/etc. >> I installed NSS which put nss_ldap.conf in /usr/local/etc. >> >> >From looking at them I assume that the last two are the same file and one >> of them just needs to be renamed to ldap.conf and configured for PAM and >> NSS, is that correct? >> >> The ldap.conf in /usr/local/etc/openldap is a different config file even >> though it has the same name? It is used for openldap and the other is >> used for PAM and NSS? >> >> Thanks for any info. >> >> > openldap/ldap.conf is the OpenLDAP client configuration. You're likely > looking for the LDAP server configuration, openldap/slapd.conf True. > etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be merged. False. You can symlink nss_ldap.conf to ldap.conf. Keep them seperate if you like to edit configuration files that contain the exact same data. This way you can make mistakes. (Just kidding :) Both nss_ldap and pam_ldap use the same configuration when they both need to query the same LDAP server. If, for a reason, your company uses different LDAP servers for PAM and NSS (say you just purchased another company or something), then you need to keep etc/nss_ldap.conf and etc/ldap.conf(5) files seperate. Otherwise, IMHO you should try and use a single LDAP server for all your data. Using several LDAP repository is the path to the dark side... (and to a lot of problems!) If you do have more then one LDAP server (say an OpenLDAP, an Oracle Internet Directory and a Microsoft Active Directory for instance), then setup referals between them. Or better yet, dump an LDIF file of one and import it to another and drop one of the LDAP server altogether (or just use it as a referal point for it's data if you can't rip it out of your network). It's not an easy task, but it sure is possible. > I've played ***VERY*** briefly with LDAP authentication through PAM and > NSS, and both were required. I can't quote easily what the difference > between NSS and PAM is, but all the docs I referenced from Google when I > searched said I needed both. NSS stands for Name Service Switch. Normally it's achieved via /etc/nsswitch.conf file. Basically it's telling applications where to look for data (i.e. local files, NIS, NIS+, LDAP, DNS) for the various data sources (i.e. groups, users, hosts, etc). See nsswitch.conf(5) and getent(1) and http://www.padl.com/OSS/nss_ldap.html for details. PAM stands for Pluggable Authentication Modules. It's an easy way to plug various authentication methods into an existing infrastructure. It basically allows you to use the local files, a Kerberos realm, an LDAP directory and such to decides who can login to your machines without having to rewrite the entire authentication mechanisms. See pam.conf(5) and pam(3) plus http://www.padl.com/OSS/pam_ldap.html for details. Why do you need both NSS and PAM? Well, suppose you decide that you want to use a Kerberos realm to authenticate and that the Kerberos principals (or users if you prefer) are stored in an LDAP directory. Now suppose an SSH connection comes in from user bob. Your machine will check the PAM configuration as to which PAM modules it should check for authentication. It will use NSS to know where to check in order to find out who is this bob user (will it be in the local passwd file or in the LDAP directory?) Once it finds where bob is stored (if he exists) then it will compare the passwd string (or the Kerberos ticket if our example) and use PAM to locate which module it has to compare the ticket or password against. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says "Send this to everyone you know", then please pretend you don't know me.