nss_ldap/pam_ldap, what am I missing?

Antoine Jacoutot ajacoutot at lphp.org
Sat Mar 13 11:12:02 PST 2004 

On Saturday 13 March 2004 18:25, Per olof Ljungmark wrote:
> If you have a similar setup working I am very interested in how it was
> accomplished.

Allright, so here is my setup if it can help you;
note that I'm using ldap over SSL with key files.

server:
# /usr/local/etc/ldap.conf
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
base dc=domain,dc=com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
pam_password ssha
nss_base_passwd         ou=People,dc=domain,dc=com?one
nss_base_passwd         ou=Computers,dc=domain,dc=com?one
nss_base_shadow         ou=People,dc=domain,dc=com?one
nss_base_group          ou=Group,dc=domain,dc=com?one

# /usr/local/etc/nss_ldap.conf
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
base dc=domain,dc=com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
nss_base_passwd         ou=People,dc=domain,dc=com?one
nss_base_passwd         ou=Computers,dc=domain,dc=com?one
nss_base_shadow         ou=People,dc=domain,dc=com?one
nss_base_group          ou=Group,dc=domain,dc=com?one

client:
# /usr/local/etc/ldap.conf
base dc=domain,dc=com
uri ldaps://server.domain.com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
pam_password ssha
nss_base_passwd         ou=People,dc=domain,dc=com?one
nss_base_passwd         ou=Computers,dc=domain,dc=com?one
nss_base_shadow         ou=People,dc=domain,dc=com?one
nss_base_group          ou=Group,dc=domain,dc=com?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/local/etc/openldap/cacert.pem

# /usr/local/etc/nss_ldap.conf
base dc=domain,dc=com
uri ldaps://server.domain.com
binddn cn=proxyuser,dc=domain,dc=com
bindpw lphp.org
nss_base_passwd         ou=People,dc=domain,dc=com?one
nss_base_passwd         ou=Computers,dc=domain,dc=com?one
nss_base_shadow         ou=People,dc=domain,dc=com?one
nss_base_group          ou=Group,dc=domain,dc=com?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/local/etc/openldap/cacert.pem

common (client+server):
# /etc/nsswitch.conf
passwd: files ldap
group: files ldap

# /etc/pam.d/ldap
auth            sufficient      /usr/local/lib/pam_ldap.so

# /etc/pam.d/system
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            include         ldap
auth            required        pam_unix.so             no_warn try_first_pass 
nullok
account         required        pam_login_access.so
account         required        pam_unix.so
session         required        pam_lastlog.so          no_fail
password        required        pam_unix.so             no_warn try_first_pass

More information about the freebsd-questions mailing list