Setting up pam_ldap & nss_ldap
Joerg.Pulz at frm2.tum.de
Thu Sep 2 12:38:31 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 2 Sep 2004, Curtis Vaughan wrote:
> On 5.3-Beta I have installed pam_ldap and nss_ldap.
> Then I edited the following files:
> files within /etc/pam.d
> particularly /etc/pam.d/ldap and ./sshd and ./su
> I think that's it. I can provide each of those files if necessary.
> Nonetheless authentication for users not local to this system is not
> occurring (which would normally occur for me under Linux). I have tried
> authenticating the following ways: 1) through ssh; 2) through su. I have
> noticed, however, that the way I do this under Linux is not the same as for
> FreeBSD. So, it's quite possible that I have left something out. Anyhow, I
> would appreciate any input into what needs to be configured to get this to
i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP
accounts via nss_ldap and pam_ldap.
it works perfectly.
passwd: files [NOTFOUND=continue] ldap
group: files [NOTFOUND=continue] ldap
hosts: files dns
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug
auth required pam_unix.so no_warn try_first_pass
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
#session optional pam_ssh.so
session required pam_permit.so
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so use_authok
password required pam_unix.so no_warn try_first_pass
/usr/local/etc/nss_ldap.conf (without TLS stuff)
host ldap1.example.com ldap2.example.com
# debug testing
i use the same configuration for pam_ldap and nss_ldap, so create a
symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or
make an exact copy. all other entries in nss_ldap are commented out for
Don't forget to change "dc=example,dc=com" and "ldap1.example.com
ldap2.example.com" to your values.
there is no need for a .secret file for pam_ldap or nss_ldap.
to be clear, if you set a rootbinddn or binddn which has the right to read
the userPassword attribute, a getpwent(3) call would return all password
hashes which is surely not what you want. the better way is to let
nss_ldap only return the account information without the password and let
pam_ldap try to bind as the users dn with the submitted password.
another point is, that the whole pam_ldap stuff can be skipped if you use
a binddn or rootbinddn with nss_ldap and this dn is allowed to read the
userPassword attribute as the password is available to pam_unix and makes
authentication possible. but remember the risk that someone is able to use
getpwent(3) to get all password hashes that are stored in LDAP.
if it's still not working for you, uncomment the "logdir" and "debug" line
in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a
new login you will find a file "ldap.<PID>" in the directory specified as
"logdir". the whole LDAP lookup and LDAP bind phase is written to this
file so one can analyze whats working or not.
feel free to ask again if you still have problems.
The beginning is the most important part of the work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the freebsd-questions