Using LDAP Under FreeBSD

Installation notes for OpenLDAP under FreeBSD, using LDAP for user management.

Install OpenLDAP from ports collection

cd /usr/ports/net/openldap24-server
make config-recursive install clean

Tweak rc.conf for OpenLDAP:

cat >>/etc/rc.conf <<HERE
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://10.0.0.1:389/"'
slapd_sockets="/var/run/openldap/ldapi"
HERE

Load LDAP data and change permissions:

% cat ... | slapadd
% chown -R ldap:ldap /var/db/openldap-data/

Start OpenLDAP:

% service slapd start

FreeBSD as LDAP-Client

cd /usr/ports/security/pam_ldap
make config-recursive
make package-recursive

cd /usr/ports/net/nss_ldap
make config-recursive
make package-recursive

cd /usr/ports/security/pam_mkhomedir
make config-recursive
make package-recursive

cat >/usr/local/etc/ldap.conf <<HERE
host 10.0.0.1
base dc=example,dc=com
ldap_version 3
binddn uid=JAILNAME,ou=hosts,dc=example,dc=com
bindpw secret-password
port 389
scope sub
pam_filter hostAccess=JAILNAME
pam_login_attribute uid
pam_min_uid 1000
pam_password exop
HERE

rm nss_ldap.conf ; ln -s ldap.conf nss_ldap.conf

sed -i '' 
    -e 's/group: .*/group: files ldap/' 
    -e 's/passwd: .*/passwd: files ldap/' 
    /etc/nsswitch.conf

Errors

/var/log/auth.log shows:

Oct  4 11:00:21 build login: nss_ldap: failed to bind to LDAP server ldap://10.0.0.1: Invalid credentials
    Oct  4 11:00:21 build login: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...

Tests

% ldapsearch -h 10.0.0.1 -x -D cn=admin,dc=example,dc=com -w abc -LLL -b dc=example,dc=com -o ldif-wrap=no

PAM

Changes to /etc/pam.d/system, lines 12, 17 and 23:

 1      #
 2      # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.1 2012/03/03 06:15:13 kensmith Exp $
 3      #
 4      # System-wide defaults
 5      #
 6      
 7      # auth
 8      auth        sufficient  pam_opie.so                  no_warn no_fake_prompts
 9      auth        requisite   pam_opieaccess.so            no_warn allow_local
10      #auth       sufficient  pam_krb5.so                  no_warn try_first_pass
11      #auth       sufficient  pam_ssh.so                   no_warn try_first_pass
12      auth        sufficient  /usr/local/lib/pam_ldap.so   no_warn try_first_pass
13      auth        required    pam_unix.so                  no_warn try_first_pass nullok
14      
15      # account
16      #account    required    pam_krb5.so
17      account     required    /usr/local/lib/pam_ldap.so   ignore_unknown_user ignore_authinfo_unavail
18      account     required    pam_login_access.so
19      account     required    pam_unix.so
20      
21      # session
22      #session    optional    pam_ssh.so
23      session     required    /usr/local/lib/pam_mkhomedir.so
24      session     required    pam_lastlog.so      no_fail
25      
26      # password
27      #password   sufficient  pam_krb5.so     no_warn try_first_pass
28      password    required    pam_unix.so     no_warn try_first_pass

/etc/pam.d/sshd, lines 9, 21 and 25:

 1      % cat /etc/pam.d/sshd
 2      #
 3      # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.1 2012/03/03 06:15:13 kensmith Exp $
 4      #
 5      # PAM configuration for the "sshd" service
 6      #
 7      
 8      # auth
 9      auth        sufficient  /usr/local/lib/pam_ldap.so    no_warn
10      auth        sufficient  pam_opie.so                   no_warn no_fake_prompts
11      auth        requisite   pam_opieaccess.so             no_warn allow_local
12      #auth       sufficient  pam_krb5.so                   no_warn try_first_pass
13      #auth       sufficient  pam_ssh.so                    no_warn try_first_pass
14      auth        required    pam_unix.so                   no_warn try_first_pass
15      
16      # account
17      account     required    pam_nologin.so
18      #account    required    pam_krb5.so
19      account     required    pam_login_access.so
20      account     required    pam_unix.so
21      account     required    /usr/local/lib/pam_ldap.so    no_warn ignore_authinfo_unavail ignore_unknown_user
22      
23      # session
24      #session    optional    pam_ssh.so
25      session     required    /usr/local/lib/pam_mkhomedir.so
26      session     required    pam_permit.so
27      
28      # password
29      #password   sufficient  pam_krb5.so     no_warn try_first_pass
30      password    required    pam_unix.so     no_warn try_first_pass

check it:

% grep ldap /etc/pam.d/*
/etc/pam.d/passwd:password  required    pam_ldap.so
/etc/pam.d/sshd:auth            sufficient      /usr/local/lib/pam_ldap.so    no_warn
/etc/pam.d/sshd:account         required        /usr/local/lib/pam_ldap.so    no_warn ignore_authinfo_unavail ignore_unknown_user
/etc/pam.d/system:auth          sufficient      /usr/local/lib/pam_ldap.so    no_warn try_first_pass
/etc/pam.d/system:account       required        /usr/local/lib/pam_ldap.so    ignore_unknown_user ignore_authinfo_unavail

% grep mkhome /etc/pam.d/*
/etc/pam.d/sshd:session         required        /usr/local/lib/pam_mkhomedir.so
/etc/pam.d/su:session           required        /usr/local/lib/pam_mkhomedir.so
/etc/pam.d/system:session       required        /usr/local/lib/pam_mkhomedir.so

OpenSSH Portable

cd /usr/ports/security/openssh-portable
make config-recursive
make package-recursive
This entry was posted in System Administration and tagged , . Bookmark the permalink.