Date: Fri, 28 Sep 2007 20:30:21 +0200 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: "Brian A. Seklecki" <lavalamp@spiritual-machines.org> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto? Message-ID: <46FD483D.8000906@zedat.fu-berlin.de> In-Reply-To: <1190989759.2994.26.camel@new-host> References: <46FCDD68.6030901@zedat.fu-berlin.de> <1190989759.2994.26.camel@new-host>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for responding. So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html First, OS ist the most recent FreeBSD 7.0. OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default PAM_LDAP NSS_LDAP I renamed cached.conf to nscd.conf as suggested (for your information). In /etc/nsswitch.conf I changed # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also changed /etc/pam.d/sshd to this: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Both configuration files for nss_ldap and pam_ldap respective got linked to /usr/localetc/openldap/ldap.conf, which looks like this: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=foo,dc=org #URI ldapi:/// URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ #SSL start_tls #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERT allow #TLS_REQCERT demand #TLS_CHECKPEER yes My /etc/rc.conf.local file has the following OpenLDAP specific entry: ########################################################### ### OpenLDAP Server ### ########################################################### slapd_enable="YES" #slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.210 ldaps://192.168.2.210"' slapd_sockets="/var/run/openldap/ldapi" My OpenLDAP config file has SSL-certificates disabled. After the installation of nss_ldap the slapd server takes several decades of seconds to start. But it starts well and after it has initiated itself, I can do on the server a simple 'slapcat' and receive. But I can't access the LDAP server. Doing an 'id testuser' results in 'id not found'. On the console, I receive massively errors like this: TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending RST and removing tcpcb Well, I checked sockstat for a listening slapd and I found slapd listening on both loopback, local NIC adn on both ports 389 and 636. So what is wrong ? Regards, a desperate Oliver Brian A. Seklecki wrote: > FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS > (PKI). > > All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, > interactive shell, SFTP, etc.) can be tied into LDAP either directly or > via PAM. > > As for password change, I don't know if anyone has a passwd(1) binary > that properly changes the LDAP password attribute -- if there is and its > out there, it requires ACL insanity. Like Oracle, you can either > understand OpenLDAP ACLs, or you have real work to do >:} > > Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* > -- set to "debug 1" to get debugging info. Feel free to share > error messages. > > ~BAS > > On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote: > >> Hello out there, >> I have a problem with setting up an FreeBSD box as OpenLDAP server with >> several services, like SAMBA, NFS. >> >> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also >> acting as OpenLDAP server. So far. OpenLDAP is up and running, using >> TLS/SSL certificate. SAMBA is also up and running - but it never >> connects to the OpenLDAP server due to an connection error, but this >> shouldn't be the subject here, I have more basic questions about what >> FreeBSD already has and what to install additionally. >> >> I want customers to log in on the FBSD box, so they sould log in >> (authenticated via OpenLDAP), change their passwords and shells and >> those user specifica should be updated on the LDAP server. >> >> I already installed pam_ldap-port but ran into trouble because FreeBSD's >> nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server >> (and not files). >> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, >> especially if SSL/TLS come into play and I would like to ask those >> herein administering those setups, especially within a hybrid NFS/SAMBA >> fileservicing environment, where to find up to date >> informationes/howto/tipps. >> >> Most websites and HowTo's I found were Linux related or, if related to >> FreeBSD, outdated. >> >> Sorry beeing so unspecific, but the problem is complex (to me) so I >> would better ask for those who are willing to help or give hints and tips. >> >> Thanks in advance and for your patience, >> Oliver >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> >> >> >> >> >> >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46FD483D.8000906>