From owner-freebsd-questions@FreeBSD.ORG Sat Mar 13 11:12:02 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85D2E16A4CE for ; Sat, 13 Mar 2004 11:12:02 -0800 (PST) Received: from mcp.lphp.org (APastourelles-107-1-16-143.w80-14.abo.wanadoo.fr [80.14.185.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0640E43D1F for ; Sat, 13 Mar 2004 11:12:01 -0800 (PST) (envelope-from ajacoutot@lphp.org) Received: from bsdbox.lphp.local (bsdbox.lphp.local [192.168.0.2]) by mcp.lphp.org (8.12.10/8.12.10) with ESMTP id i2DJCFXZ018003; Sat, 13 Mar 2004 20:12:15 +0100 (CET) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: peo@intersonic.se Date: Sat, 13 Mar 2004 20:11:44 +0100 User-Agent: KMail/1.6.1 References: <4051DBE9.2010002@intersonic.se> <1079119055.40520ccf3007c@webmail.lphp.org> <40534413.2010805@intersonic.se> In-Reply-To: <40534413.2010805@intersonic.se> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200403132011.44445.ajacoutot@lphp.org> cc: freebsd-questions@freebsd.org Subject: Re: nss_ldap/pam_ldap, what am I missing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Mar 2004 19:12:02 -0000 On Saturday 13 March 2004 18:25, Per olof Ljungmark wrote: > If you have a similar setup working I am very interested in how it was > accomplished. Allright, so here is my setup if it can help you; note that I'm using ldap over SSL with key files. server: # /usr/local/etc/ldap.conf uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ base dc=domain,dc=com binddn cn=proxyuser,dc=domain,dc=com bindpw lphp.org pam_password ssha nss_base_passwd ou=People,dc=domain,dc=com?one nss_base_passwd ou=Computers,dc=domain,dc=com?one nss_base_shadow ou=People,dc=domain,dc=com?one nss_base_group ou=Group,dc=domain,dc=com?one # /usr/local/etc/nss_ldap.conf uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ base dc=domain,dc=com binddn cn=proxyuser,dc=domain,dc=com bindpw lphp.org nss_base_passwd ou=People,dc=domain,dc=com?one nss_base_passwd ou=Computers,dc=domain,dc=com?one nss_base_shadow ou=People,dc=domain,dc=com?one nss_base_group ou=Group,dc=domain,dc=com?one client: # /usr/local/etc/ldap.conf base dc=domain,dc=com uri ldaps://server.domain.com binddn cn=proxyuser,dc=domain,dc=com bindpw lphp.org pam_password ssha nss_base_passwd ou=People,dc=domain,dc=com?one nss_base_passwd ou=Computers,dc=domain,dc=com?one nss_base_shadow ou=People,dc=domain,dc=com?one nss_base_group ou=Group,dc=domain,dc=com?one ssl on tls_checkpeer yes tls_cacertfile /usr/local/etc/openldap/cacert.pem # /usr/local/etc/nss_ldap.conf base dc=domain,dc=com uri ldaps://server.domain.com binddn cn=proxyuser,dc=domain,dc=com bindpw lphp.org nss_base_passwd ou=People,dc=domain,dc=com?one nss_base_passwd ou=Computers,dc=domain,dc=com?one nss_base_shadow ou=People,dc=domain,dc=com?one nss_base_group ou=Group,dc=domain,dc=com?one ssl on tls_checkpeer yes tls_cacertfile /usr/local/etc/openldap/cacert.pem common (client+server): # /etc/nsswitch.conf passwd: files ldap group: files ldap # /etc/pam.d/ldap auth sufficient /usr/local/lib/pam_ldap.so # /etc/pam.d/system auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth include ldap auth required pam_unix.so no_warn try_first_pass nullok account required pam_login_access.so account required pam_unix.so session required pam_lastlog.so no_fail password required pam_unix.so no_warn try_first_pass