Date: Sat, 29 Sep 2007 19:59:42 -0400 (EDT) From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto? Message-ID: <20070929195839.B99598@arbitor.digitalfreaks.org> In-Reply-To: <46FD483D.8000906@zedat.fu-berlin.de> References: <46FCDD68.6030901@zedat.fu-berlin.de> <1190989759.2994.26.camel@new-host> <46FD483D.8000906@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . You need to set a variety of settings there. What do they look like? Remember: pkg_info -L pam_ldap nss_ldap! Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes and bangs with -current. ~BAS On Fri, 28 Sep 2007, O. Hartmann wrote: > Thank you for responding. > So, I'll feel free reporting my bad luck. This is a reference page I > consulted for some hints, but without success: > > http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html > > First, OS ist the most recent FreeBSD 7.0. > OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or > anything else apart from default > PAM_LDAP > NSS_LDAP > > I renamed cached.conf to nscd.conf as suggested (for your information). > In /etc/nsswitch.conf I changed > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ > # > group: files ldap > group_compat: nis > hosts: files dns > networks: files > passwd: files ldap > passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > I also changed /etc/pam.d/sshd to this: > > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ > # > # PAM configuration for the "sshd" service > # > > # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn > try_first_pass > auth sufficient /usr/local/lib/pam_ldap.so no_warn > try_first_pass > auth sufficient pam_ssh.so no_warn > try_first_pass > auth required pam_unix.so no_warn > try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn > try_first_pass > password required pam_unix.so no_warn > try_first_pass > > Both configuration files for nss_ldap and pam_ldap respective got linked to > /usr/localetc/openldap/ldap.conf, which looks like this: > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > BASE dc=foo,dc=org > #URI ldapi:/// > URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ > > #SSL start_tls > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > #TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERT allow > #TLS_REQCERT demand > #TLS_CHECKPEER yes > > My /etc/rc.conf.local file has the following OpenLDAP specific entry: > > ########################################################### > ### OpenLDAP Server ### > ########################################################### > slapd_enable="YES" > #slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ > ldap:/// ldaps:///"' > slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ > ldap://192.168.2.210 ldaps://192.168.2.210"' > slapd_sockets="/var/run/openldap/ldapi" > > > My OpenLDAP config file has SSL-certificates disabled. > > After the installation of nss_ldap the slapd server takes several decades of > seconds to start. But it starts well and after it has initiated itself, I can > do on the server a simple 'slapcat' and receive. > > But I can't access the LDAP server. Doing an 'id testuser' results in 'id not > found'. > > On the console, I receive massively errors like this: > > TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; > tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending > RST and removing tcpcb > > Well, I checked sockstat for a listening slapd and I found slapd listening on > both loopback, local NIC adn on both ports 389 and 636. > > So what is wrong ? > > Regards, > a desperate Oliver > > > > > Brian A. Seklecki wrote: >> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS >> (PKI). >> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, >> interactive shell, SFTP, etc.) can be tied into LDAP either directly or >> via PAM. >> >> As for password change, I don't know if anyone has a passwd(1) binary >> that properly changes the LDAP password attribute -- if there is and its >> out there, it requires ACL insanity. Like Oracle, you can either >> understand OpenLDAP ACLs, or you have real work to do >:} >> >> Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* >> -- set to "debug 1" to get debugging info. Feel free to share >> error messages. >> >> ~BAS >> >> On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote: >> >>> Hello out there, >>> I have a problem with setting up an FreeBSD box as OpenLDAP server with >>> several services, like SAMBA, NFS. >>> >>> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting >>> as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL >>> certificate. SAMBA is also up and running - but it never connects to the >>> OpenLDAP server due to an connection error, but this shouldn't be the >>> subject here, I have more basic questions about what FreeBSD already has >>> and what to install additionally. >>> >>> I want customers to log in on the FBSD box, so they sould log in >>> (authenticated via OpenLDAP), change their passwords and shells and those >>> user specifica should be updated on the LDAP server. >>> >>> I already installed pam_ldap-port but ran into trouble because FreeBSD's >>> nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server >>> (and not files). >>> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, >>> especially if SSL/TLS come into play and I would like to ask those herein >>> administering those setups, especially within a hybrid NFS/SAMBA >>> fileservicing environment, where to find up to date >>> informationes/howto/tipps. >>> >>> Most websites and HowTo's I found were Linux related or, if related to >>> FreeBSD, outdated. >>> >>> Sorry beeing so unspecific, but the problem is complex (to me) so I would >>> better ask for those who are willing to help or give hints and tips. >>> >>> Thanks in advance and for your patience, >>> Oliver >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >>> >>> >>> >>> >>> >>> >>> >> >> > > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070929195839.B99598>