From owner-freebsd-questions@FreeBSD.ORG Thu Feb 14 23:34:11 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E21A16A418 for ; Thu, 14 Feb 2008 23:34:11 +0000 (UTC) (envelope-from jontheil@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id 3930413C458 for ; Thu, 14 Feb 2008 23:34:11 +0000 (UTC) (envelope-from jontheil@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so840328waf.3 for ; Thu, 14 Feb 2008 15:34:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=hOuZoQ++Nn/mv2KCkfsZ9jg6bH14M96JQEfu/oLx540=; b=oRkUZm+aiIjptv2/b2S/QmBJiwaDz/Y6muR2++IcFef0pGlOxyQfx/ocnTkviFnYbynC8RUjup5HmLipxPJ2Z61MGbKKRWWL7RhwGdBTLr2sOIergxAUNUvGV22/9bl23dbKysW+tS6Uz5NQjnsHJmIHzrTqjFG6W9dMawnzm+Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UuSpT+GLqqjhxAHTJjy7dCIIkDXdjI1plR5jh3H0m4sCe7ManhWYRsExLNjSkdwzhAI/tCGt6uEujVomgQMpp+Nf+Zc+EwCgvw710kDlk5d9cmq3wrK5NcuZUpNUUh7FCUyDWIhWVTS+jLgyxMgXZW7pu79EI0dEPrvkAI38hzM= Received: by 10.115.93.16 with SMTP id v16mr2239033wal.126.1203032048119; Thu, 14 Feb 2008 15:34:08 -0800 (PST) Received: by 10.114.168.6 with HTTP; Thu, 14 Feb 2008 15:34:08 -0800 (PST) Message-ID: <8f82c35c0802141534k3a37a65fj29926bbc5ab0c9fe@mail.gmail.com> Date: Fri, 15 Feb 2008 00:34:08 +0100 From: "Jon Theil Nielsen" To: "Jonathan Chen" In-Reply-To: <20080214205341.GA47529@osiris.chen.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8f82c35c0802131110l7c678965qe6d0c3432f008254@mail.gmail.com> <20080214205341.GA47529@osiris.chen.org.nz> Cc: freebsd-questions@freebsd.org Subject: Re: LDAP user authentication? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2008 23:34:11 -0000 2008/2/14, Jonathan Chen : > On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote: > > I have googled for a very long time, but I haven't found any useful > > howto on this issue. Well, there is > > http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html > > but that seems to be a bit confusing an not up-to-date. I guess it > > _should_ be possible - and indeed very useful (especially combinde > > with Samba PDC and an easily maintainlable mail server). So please, if > > you have any experiences or knowledge of a useful description..! > > > The first thing for you to do is to set up your LDAP tree, with your > users using objectClass=posixAccount, and your groups with > objectClass=posixGroup. > > Then make the following changes to /etc/nsswitch.conf: > group: files ldap > passwd: files ldap > > You then have to install the ports net/nss_ldap and security/pam_ldap. > The strategy you should adopt is to first get nss_ldap working before > looking at pam_ldap. > > To configure nss_ldap: > cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf > > When editing the nss_ldap.conf, the entries of particular interest > are "bind_timelimit" and "bind_policy", which will need to be changed > so that the system will still allow you login locally even if the LDAP > server is not running. I've got mine set to: > bind_timelimit 3 > bind_policy soft > > Make sure your "nss_base_passwd" and "nss_base_group" are set correctly. > I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret > file, YMMV. > > You can then test with "getent group" or "getent passwd". However, > getent(1) is only available with FreeBSD-7 onwards. If you aren't > using FreeBSD-7, the simplest way to test is to create a file whose > user and group ownership refers to the LDAP entries, and then see if > a simple "ls -l" displays correctly. > > Once you've verified that this is working, you can then configure > pam_ldap: > cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf > > Again, set the bind_timelimit and bind_policy to ensure you don't hang > your system if the LDAP server isn't up. > > To configure PAM, you have to add a reference to pam_ldap in the > appropriate PAM files in /etc/pam.d. Here's my snippet in > /etc/pam.d/login to allow a console login: > > # auth > auth sufficient pam_self.so no_warn > auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass > auth include system > ... > > The pam_ldap.so reference will need to be added to other pamd.d files > as required, eg: imap, gdm, kde, xdm. > > Hope this helps. > > -- > Jonathan Chen Well, I must say that this is almost more than I could imagine to get out of my request..! I will absolutely try this method as soon as possible. I hope I can make it work, and I will report back with experiences (and hopefully not) problems/questions. Regards, Jon Theil Nielsen