LDAP user authentication?

Jonathan Chen jonc at chen.org.nz
Thu Feb 14 20:53:43 UTC 2008

On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
> I have googled for a very long time, but I haven't found any useful
> howto on this issue. Well, there is
> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
> but that seems to be a bit confusing an not up-to-date. I guess it
> _should_ be possible - and indeed very useful (especially combinde
> with Samba PDC and an easily maintainlable mail server). So please, if
> you have any experiences or knowledge of a useful description..!

The first thing for you to do is to set up your LDAP tree, with your
users using objectClass=posixAccount, and your groups with

Then make the following changes to /etc/nsswitch.conf:
    group: files ldap
    passwd: files ldap

You then have to install the ports net/nss_ldap and security/pam_ldap.
The strategy you should adopt is to first get nss_ldap working before
looking at pam_ldap.

To configure nss_ldap:
    cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf

When editing the nss_ldap.conf, the entries of particular interest
are "bind_timelimit" and "bind_policy", which will need to be changed
so that the system will still allow you login locally even if the LDAP
server is not running. I've got mine set to:
    bind_timelimit 3
    bind_policy soft

Make sure your "nss_base_passwd" and "nss_base_group" are set correctly.
I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret
file, YMMV.

You can then test with "getent group" or "getent passwd". However,
getent(1) is only available with FreeBSD-7 onwards. If you aren't
using FreeBSD-7, the simplest way to test is to create a file whose
user and group ownership refers to the LDAP entries, and then see if
a simple "ls -l" displays correctly.

Once you've verified that this is working, you can then configure
    cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf

Again, set the bind_timelimit and bind_policy to ensure you don't hang
your system if the LDAP server isn't up.

To configure PAM, you have to add a reference to pam_ldap in the
appropriate PAM files in /etc/pam.d. Here's my snippet in
/etc/pam.d/login to allow a console login:

	# auth
	auth sufficient  pam_self.so     no_warn
	auth sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
	auth include     system

The pam_ldap.so reference will need to be added to other pamd.d files
as required, eg: imap, gdm, kde, xdm.

Hope this helps.
Jonathan Chen <jonc at chen.org.nz>
                                      Opportunities are seldom labeled

More information about the freebsd-questions mailing list