Difference between revisions of "FreeBSD auth to LDAP"

How to have a FreeBSD Server auth to an OpenLDAP server. This was originally documented here but is long gone. The LDAP Server being used is administered with PhpLDAPAdmin.

• Install pam_ldap, which will get openldap-client as a dependency. This should be fairly quick, on a 850mhz machine it was done in under 10 minutes:

cd /usr/ports/security/pam_ldap/
make install

• Install nss_ldap, which should take about a minute:

cd /usr/ports/net/nss_ldap/
make install

• Create /usr/local/etc/ldap.conf:

# LDAP client config
host			ldap.something.net
uri			ldap://ldap.something.net/
base			dc=something,dc=net
port			389
binddn			uid=ldapclient$,ou=machines,ou=staff,dc=something,dc=net
bindpw			<somepassword>
#timeout stuff
timelimit		10
bind_timelimit		5
bind_policy		soft
#nss/pam stuff
nss_base_passwd		ou=staff,dc=something,dc=net
nss_base_group		cn=tech,ou=groups,ou=staff,dc=something,dc=net
pam_password		SSHA

• Symlink this new conf to nss_ldap.conf:

ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf

• Edit /etc/nsswitch.conf (comment two lines, add two lines):

#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files

• Add a line to these files. Be sure to place it above all other uncommented lines!
  • /etc/pam.d/sshd (ssh login)
  • /etc/pam.d/system (local console login)

auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass