LDAP user authentication?
jonc at chen.org.nz
Thu Feb 14 20:53:43 UTC 2008
On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
> I have googled for a very long time, but I haven't found any useful
> howto on this issue. Well, there is
> but that seems to be a bit confusing an not up-to-date. I guess it
> _should_ be possible - and indeed very useful (especially combinde
> with Samba PDC and an easily maintainlable mail server). So please, if
> you have any experiences or knowledge of a useful description..!
The first thing for you to do is to set up your LDAP tree, with your
users using objectClass=posixAccount, and your groups with
Then make the following changes to /etc/nsswitch.conf:
group: files ldap
passwd: files ldap
You then have to install the ports net/nss_ldap and security/pam_ldap.
The strategy you should adopt is to first get nss_ldap working before
looking at pam_ldap.
To configure nss_ldap:
cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf
When editing the nss_ldap.conf, the entries of particular interest
are "bind_timelimit" and "bind_policy", which will need to be changed
so that the system will still allow you login locally even if the LDAP
server is not running. I've got mine set to:
Make sure your "nss_base_passwd" and "nss_base_group" are set correctly.
I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret
You can then test with "getent group" or "getent passwd". However,
getent(1) is only available with FreeBSD-7 onwards. If you aren't
using FreeBSD-7, the simplest way to test is to create a file whose
user and group ownership refers to the LDAP entries, and then see if
a simple "ls -l" displays correctly.
Once you've verified that this is working, you can then configure
cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf
Again, set the bind_timelimit and bind_policy to ensure you don't hang
your system if the LDAP server isn't up.
To configure PAM, you have to add a reference to pam_ldap in the
appropriate PAM files in /etc/pam.d. Here's my snippet in
/etc/pam.d/login to allow a console login:
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth include system
The pam_ldap.so reference will need to be added to other pamd.d files
as required, eg: imap, gdm, kde, xdm.
Hope this helps.
Jonathan Chen <jonc at chen.org.nz>
Opportunities are seldom labeled
More information about the freebsd-questions