FreeBSD auth to LDAP
From falz.net
How to have a FreeBSD Server auth to an OpenLDAP server. This was originally documented here but is long gone. The LDAP Server being used is administered with PhpLDAPAdmin.
- Install pam_ldap, which will get openldap-client as a dependency. This should be fairly quick, on a 850mhz machine it was done in under 10 minutes:
cd /usr/ports/security/pam_ldap/ make install
- Install nss_ldap, which should take about a minute:
cd /usr/ports/net/nss_ldap/ make install
- Create /usr/local/etc/ldap.conf:
# LDAP client config host ldap.something.net uri ldap://ldap.something.net/ base dc=something,dc=net port 389 binddn uid=ldapclient$,ou=machines,ou=staff,dc=something,dc=net bindpw <somepassword> #timeout stuff timelimit 10 bind_timelimit 5 bind_policy soft #nss/pam stuff nss_base_passwd ou=staff,dc=something,dc=net nss_base_group cn=tech,ou=groups,ou=staff,dc=something,dc=net pam_password SSHA
- Symlink this new conf to nss_ldap.conf:
ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
- Edit /etc/nsswitch.conf (comment two lines, add two lines):
#group: compat group: files ldap group_compat: nis hosts: files dns networks: files #passwd: compat passwd: files ldap passwd_compat: nis shells: files
- Add a line to these files. Be sure to place it above all other uncommented lines!
- /etc/pam.d/sshd (ssh login)
- /etc/pam.d/system (local console login)
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass