Date: Fri, 15 Feb 2008 00:34:08 +0100 From: "Jon Theil Nielsen" <jontheil@gmail.com> To: "Jonathan Chen" <jonc@chen.org.nz> Cc: freebsd-questions@freebsd.org Subject: Re: LDAP user authentication? Message-ID: <8f82c35c0802141534k3a37a65fj29926bbc5ab0c9fe@mail.gmail.com> In-Reply-To: <20080214205341.GA47529@osiris.chen.org.nz> References: <8f82c35c0802131110l7c678965qe6d0c3432f008254@mail.gmail.com> <20080214205341.GA47529@osiris.chen.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
2008/2/14, Jonathan Chen <jonc@chen.org.nz>: > On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote: > > I have googled for a very long time, but I haven't found any useful > > howto on this issue. Well, there is > > http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html > > but that seems to be a bit confusing an not up-to-date. I guess it > > _should_ be possible - and indeed very useful (especially combinde > > with Samba PDC and an easily maintainlable mail server). So please, if > > you have any experiences or knowledge of a useful description..! > > > The first thing for you to do is to set up your LDAP tree, with your > users using objectClass=posixAccount, and your groups with > objectClass=posixGroup. > > Then make the following changes to /etc/nsswitch.conf: > group: files ldap > passwd: files ldap > > You then have to install the ports net/nss_ldap and security/pam_ldap. > The strategy you should adopt is to first get nss_ldap working before > looking at pam_ldap. > > To configure nss_ldap: > cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf > > When editing the nss_ldap.conf, the entries of particular interest > are "bind_timelimit" and "bind_policy", which will need to be changed > so that the system will still allow you login locally even if the LDAP > server is not running. I've got mine set to: > bind_timelimit 3 > bind_policy soft > > Make sure your "nss_base_passwd" and "nss_base_group" are set correctly. > I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret > file, YMMV. > > You can then test with "getent group" or "getent passwd". However, > getent(1) is only available with FreeBSD-7 onwards. If you aren't > using FreeBSD-7, the simplest way to test is to create a file whose > user and group ownership refers to the LDAP entries, and then see if > a simple "ls -l" displays correctly. > > Once you've verified that this is working, you can then configure > pam_ldap: > cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf > > Again, set the bind_timelimit and bind_policy to ensure you don't hang > your system if the LDAP server isn't up. > > To configure PAM, you have to add a reference to pam_ldap in the > appropriate PAM files in /etc/pam.d. Here's my snippet in > /etc/pam.d/login to allow a console login: > > # auth > auth sufficient pam_self.so no_warn > auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass > auth include system > ... > > The pam_ldap.so reference will need to be added to other pamd.d files > as required, eg: imap, gdm, kde, xdm. > > Hope this helps. > > -- > Jonathan Chen <jonc@chen.org.nz> Well, I must say that this is almost more than I could imagine to get out of my request..! I will absolutely try this method as soon as possible. I hope I can make it work, and I will report back with experiences (and hopefully not) problems/questions. Regards, Jon Theil Nielsen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8f82c35c0802141534k3a37a65fj29926bbc5ab0c9fe>