Date: Sat, 24 Jun 2017 08:22:07 -0400 From: Predrag Punosevac <punosevac72@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: LDAP Authentication and Authorization Message-ID: <20170624122207.I6hhRqP9F%punosevac72@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Folks, Just to post the solution for the people who might stumble on my original post. I had a permission problem on the LDAP server certificate file which could not have been read by nslcd daemon. Original nslcd.conf file I posted is also not quite correct so his is the complete how-to. Note that you don't have to have openldap-client working at all to be able to authorize and authenticate to FreeBSD server using LDAP account only (ldap search will not work though). The most effective way to use PAM approach is to pkg install nss-pam-ldapd cd /usr/local/etc/ Edit nslcd.conf file to use OpenLDAP server side certificate to get user credentials. root@hera:/usr/local/etc # more nslcd.conf uid nslcd gid nslcd uri ldap://atlas.int.autonlab.org base dc=autonlab,dc=org # StartTLS ssl start_tls # CA certificates for server certificate verification tls_cacertdir /usr/local/etc/nslcd-certs tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt Note that nslcd runs as nslcd user so the file /usr/local/etc/nslcd-certs/ca.crt must be readable by nslcd daemon root@hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt -r-------- 1 nslcd nslcd 1448 Jun 23 22:21 /usr/local/etc/nslcd-certs/ca.crt enable nslcd daemon echo 'nslcd_enable="YES"' >> /etc/rc.conf start the daemon service nslcd start (note that for debugging purpose run as nslcd -d) Edit your /etc/nsswitch file and restart nsswitch root@hera:~ # more /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj $ # # group: compat group: files ldap group_compat: nis hosts: files dns netgroup: compat networks: files # passwd: compat passwd: files ldap passwd_compat: nis shells: files # services: compat services: files ldap services_compat: nis protocols: files rpc: files s/group: compat/group: files ldap/ s/passwd: compat/passwd: files ldap/ s/services: compat/services: files ldap/ To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so option root@hera:~ # more /etc/pam.d/sshd # # $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session session required pam_permit.so # password try_first_pass password sufficient /usr/local/lib/pam_ldap.so try_first_pass password required pam_unix.so no_warn try_first_pass Make sure the above uses correct format (tab separators). Note that uses will not be allowed if her/his shell (specified in LDAP data base) is not installed/linked and home directory (specified in LDAP data base) not mounted (see security/pam_mkhomedir for work around). Also LDAP server from the base of OpenBSD doesn't allow password change. Enjoy, Predrag
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170624122207.I6hhRqP9F%punosevac72>