nss_ldap/pam_ldap, what am I missing?
Antoine Jacoutot
ajacoutot at lphp.org
Sat Mar 13 11:12:02 PST 2004
On Saturday 13 March 2004 18:25, Per olof Ljungmark wrote:
> If you have a similar setup working I am very interested in how it was
> accomplished.
Allright, so here is my setup if it can help you;
note that I'm using ldap over SSL with key files.
server:
# /usr/local/etc/ldap.conf
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
base dc=domain,dc=com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
pam_password ssha
nss_base_passwd ou=People,dc=domain,dc=com?one
nss_base_passwd ou=Computers,dc=domain,dc=com?one
nss_base_shadow ou=People,dc=domain,dc=com?one
nss_base_group ou=Group,dc=domain,dc=com?one
# /usr/local/etc/nss_ldap.conf
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
base dc=domain,dc=com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
nss_base_passwd ou=People,dc=domain,dc=com?one
nss_base_passwd ou=Computers,dc=domain,dc=com?one
nss_base_shadow ou=People,dc=domain,dc=com?one
nss_base_group ou=Group,dc=domain,dc=com?one
client:
# /usr/local/etc/ldap.conf
base dc=domain,dc=com
uri ldaps://server.domain.com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
pam_password ssha
nss_base_passwd ou=People,dc=domain,dc=com?one
nss_base_passwd ou=Computers,dc=domain,dc=com?one
nss_base_shadow ou=People,dc=domain,dc=com?one
nss_base_group ou=Group,dc=domain,dc=com?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# /usr/local/etc/nss_ldap.conf
base dc=domain,dc=com
uri ldaps://server.domain.com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
nss_base_passwd ou=People,dc=domain,dc=com?one
nss_base_passwd ou=Computers,dc=domain,dc=com?one
nss_base_shadow ou=People,dc=domain,dc=com?one
nss_base_group ou=Group,dc=domain,dc=com?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/local/etc/openldap/cacert.pem
common (client+server):
# /etc/nsswitch.conf
passwd: files ldap
group: files ldap
# /etc/pam.d/ldap
auth sufficient /usr/local/lib/pam_ldap.so
# /etc/pam.d/system
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth include ldap
auth required pam_unix.so no_warn try_first_pass
nullok
account required pam_login_access.so
account required pam_unix.so
session required pam_lastlog.so no_fail
password required pam_unix.so no_warn try_first_pass
More information about the freebsd-questions
mailing list