FreeBSD auth to LDAP


How to have a FreeBSD Server auth to an OpenLDAP server. This was originally documented here but is long gone. The LDAP Server being used is administered with PhpLDAPAdmin.

  • Install pam_ldap, which will get openldap-client as a dependency. This should be fairly quick, on a 850mhz machine it was done in under 10 minutes:
cd /usr/ports/security/pam_ldap/
make install

  • Install nss_ldap, which should take about a minute:
cd /usr/ports/net/nss_ldap/
make install

  • Create /usr/local/etc/ldap.conf:
# LDAP client config
uri			ldap://
base			dc=something,dc=net
port			389
binddn			uid=ldapclient$,ou=machines,ou=staff,dc=something,dc=net
bindpw			<somepassword>
#timeout stuff
timelimit		10
bind_timelimit		5
bind_policy		soft
#nss/pam stuff
nss_base_passwd		ou=staff,dc=something,dc=net
nss_base_group		cn=tech,ou=groups,ou=staff,dc=something,dc=net
pam_password		SSHA

  • Symlink this new conf to nss_ldap.conf:
ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf

  • Edit /etc/nsswitch.conf (comment two lines, add two lines):
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files

  • Add a line to these files. Be sure to place it above all other uncommented lines!
    • /etc/pam.d/sshd (ssh login)
    • /etc/pam.d/system (local console login)
auth		sufficient	/usr/local/lib/	no_warn try_first_pass