Setting up pam_ldap & nss_ldap

Joerg Pulz Joerg.Pulz at
Thu Sep 2 12:38:31 PDT 2004

Hash: SHA1

On Thu, 2 Sep 2004, Curtis Vaughan wrote:

> On 5.3-Beta I have installed pam_ldap and nss_ldap.
> Then I edited the following files:
> /usr/local/etc/ldap.conf
> /etc/nsswitch.conf
> files within /etc/pam.d
> particularly /etc/pam.d/ldap and ./sshd and ./su
> /usr/local/etc/nss_ldap.conf
> I think that's it.  I can provide each of those files if necessary. 
> Nonetheless authentication for users not local to this system is not 
> occurring (which would normally occur for me under Linux).  I have tried 
> authenticating the following ways: 1) through ssh; 2) through su.  I have 
> noticed, however, that the way I do this under Linux is not the same as for 
> FreeBSD.  So, it's quite possible that I have left something out.  Anyhow, I 
> would appreciate any input into what needs to be configured to get this to 
> work.

i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP 
accounts via nss_ldap and pam_ldap.
it works perfectly.

- ---
passwd: files [NOTFOUND=continue] ldap
group: files [NOTFOUND=continue] ldap
shells: files
hosts: files dns
- ---

- ---
# auth
auth   required             no_warn
auth   sufficient                no_warn no_fake_prompts
auth   requisite          no_warn allow_local
#auth  sufficient                no_warn try_first_pass
#auth  sufficient                 no_warn try_first_pass
auth   sufficient /usr/local/lib/ no_warn try_first_pass debug
auth   required                no_warn try_first_pass

# account
#account required
account  required
account  sufficient /usr/local/lib/
account  required

# session
#session optional
session  required

# password
#password sufficient                no_warn try_first_pass
password  sufficient /usr/local/lib/ use_authok
password  required                no_warn try_first_pass
- ---

/usr/local/etc/nss_ldap.conf (without TLS stuff)
- ---
base dc=example,dc=com
ldap_version 3
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one
# debug testing
#logdir /var/log
#debug 9
- ---

i use the same configuration for pam_ldap and nss_ldap, so create a 
symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or 
make an exact copy. all other entries in nss_ldap are commented out for 
Don't forget to change "dc=example,dc=com" and "" to your values.

there is no need for a .secret file for pam_ldap or nss_ldap.
to be clear, if you set a rootbinddn or binddn which has the right to read 
the userPassword attribute, a getpwent(3) call would return all password 
hashes which is surely not what you want. the better way is to let 
nss_ldap only return the account information without the password and let 
pam_ldap try to bind as the users dn with the submitted password.

another point is, that the whole pam_ldap stuff can be skipped if you use 
a binddn or rootbinddn with nss_ldap and this dn is allowed to read the 
userPassword attribute as the password is available to pam_unix and makes 
authentication possible. but remember the risk that someone is able to use 
getpwent(3) to get all password hashes that are stored in LDAP.

if it's still not working for you, uncomment the "logdir" and "debug" line 
in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a 
new login you will find a file "ldap.<PID>" in the directory specified as 
"logdir". the whole LDAP lookup and LDAP bind phase is written to this 
file so one can analyze whats working or not.

feel free to ask again if you still have problems.


- -- 
The beginning is the most important part of the work.
Version: GnuPG v1.2.5 (FreeBSD)


More information about the freebsd-questions mailing list