Date: Fri, 15 Feb 2008 09:53:41 +1300 From: Jonathan Chen <jonc@chen.org.nz> To: Jon Theil Nielsen <jontheil@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: LDAP user authentication? Message-ID: <20080214205341.GA47529@osiris.chen.org.nz> In-Reply-To: <8f82c35c0802131110l7c678965qe6d0c3432f008254@mail.gmail.com> References: <8f82c35c0802131110l7c678965qe6d0c3432f008254@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote: > I have googled for a very long time, but I haven't found any useful > howto on this issue. Well, there is > http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html > but that seems to be a bit confusing an not up-to-date. I guess it > _should_ be possible - and indeed very useful (especially combinde > with Samba PDC and an easily maintainlable mail server). So please, if > you have any experiences or knowledge of a useful description..! The first thing for you to do is to set up your LDAP tree, with your users using objectClass=posixAccount, and your groups with objectClass=posixGroup. Then make the following changes to /etc/nsswitch.conf: group: files ldap passwd: files ldap You then have to install the ports net/nss_ldap and security/pam_ldap. The strategy you should adopt is to first get nss_ldap working before looking at pam_ldap. To configure nss_ldap: cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf When editing the nss_ldap.conf, the entries of particular interest are "bind_timelimit" and "bind_policy", which will need to be changed so that the system will still allow you login locally even if the LDAP server is not running. I've got mine set to: bind_timelimit 3 bind_policy soft Make sure your "nss_base_passwd" and "nss_base_group" are set correctly. I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret file, YMMV. You can then test with "getent group" or "getent passwd". However, getent(1) is only available with FreeBSD-7 onwards. If you aren't using FreeBSD-7, the simplest way to test is to create a file whose user and group ownership refers to the LDAP entries, and then see if a simple "ls -l" displays correctly. Once you've verified that this is working, you can then configure pam_ldap: cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf Again, set the bind_timelimit and bind_policy to ensure you don't hang your system if the LDAP server isn't up. To configure PAM, you have to add a reference to pam_ldap in the appropriate PAM files in /etc/pam.d. Here's my snippet in /etc/pam.d/login to allow a console login: # auth auth sufficient pam_self.so no_warn auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth include system ... The pam_ldap.so reference will need to be added to other pamd.d files as required, eg: imap, gdm, kde, xdm. Hope this helps. -- Jonathan Chen <jonc@chen.org.nz> ---------------------------------------------------------------------- Opportunities are seldom labeled
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080214205341.GA47529>