Actions

FreeBSD auth to LDAP

From falz.net

Revision as of 10:05, 9 July 2014 by Falz (talk | contribs) (Created page with "How to have a FreeBSD Server auth to an OpenLDAP server. This was originally documented [http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_min...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to have a FreeBSD Server auth to an OpenLDAP server. This was originally documented here but is long gone. The LDAP Server being used is administered with PhpLDAPAdmin.

  • Install pam_ldap, which will get openldap-client as a dependency. This should be fairly quick, on a 850mhz machine it was done in under 10 minutes: 
cd /usr/ports/security/pam_ldap/
make install


  • Install nss_ldap, which should take about a minute: 
cd /usr/ports/net/nss_ldap/
make install


  • Create /usr/local/etc/ldap.conf: 
# LDAP client config
host			ldap.something.net
uri			ldap://ldap.something.net/
base			dc=something,dc=net
port			389
binddn			uid=ldapclient$,ou=machines,ou=staff,dc=something,dc=net
bindpw			<somepassword>
#timeout stuff
timelimit		10
bind_timelimit		5
bind_policy		soft
#nss/pam stuff
nss_base_passwd		ou=staff,dc=something,dc=net
nss_base_group		cn=tech,ou=groups,ou=staff,dc=something,dc=net
pam_password		SSHA


  • Symlink this new conf to nss_ldap.conf:
ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf


  • Edit /etc/nsswitch.conf (comment two lines, add two lines):
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files


  • Add a line to these files. Be sure to place it above all other uncommented lines!
    • /etc/pam.d/sshd (ssh login)
    • /etc/pam.d/system (local console login) 
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
Retrieved from "http://falz.net/index.php?title=FreeBSD_auth_to_LDAP&oldid=17"