LDAP user authentication?

Jon Theil Nielsen jontheil at gmail.com
Thu Feb 14 23:34:11 UTC 2008

2008/2/14, Jonathan Chen <jonc at chen.org.nz>:
> On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
>  > I have googled for a very long time, but I haven't found any useful
>  > howto on this issue. Well, there is
>  > http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
>  > but that seems to be a bit confusing an not up-to-date. I guess it
>  > _should_ be possible - and indeed very useful (especially combinde
>  > with Samba PDC and an easily maintainlable mail server). So please, if
>  > you have any experiences or knowledge of a useful description..!
> The first thing for you to do is to set up your LDAP tree, with your
>  users using objectClass=posixAccount, and your groups with
>  objectClass=posixGroup.
>  Then make the following changes to /etc/nsswitch.conf:
>     group: files ldap
>     passwd: files ldap
>  You then have to install the ports net/nss_ldap and security/pam_ldap.
>  The strategy you should adopt is to first get nss_ldap working before
>  looking at pam_ldap.
>  To configure nss_ldap:
>     cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf
>  When editing the nss_ldap.conf, the entries of particular interest
>  are "bind_timelimit" and "bind_policy", which will need to be changed
>  so that the system will still allow you login locally even if the LDAP
>  server is not running. I've got mine set to:
>     bind_timelimit 3
>     bind_policy soft
>  Make sure your "nss_base_passwd" and "nss_base_group" are set correctly.
>  I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret
>  file, YMMV.
>  You can then test with "getent group" or "getent passwd". However,
>  getent(1) is only available with FreeBSD-7 onwards. If you aren't
>  using FreeBSD-7, the simplest way to test is to create a file whose
>  user and group ownership refers to the LDAP entries, and then see if
>  a simple "ls -l" displays correctly.
>  Once you've verified that this is working, you can then configure
>  pam_ldap:
>     cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf
>  Again, set the bind_timelimit and bind_policy to ensure you don't hang
>  your system if the LDAP server isn't up.
>  To configure PAM, you have to add a reference to pam_ldap in the
>  appropriate PAM files in /etc/pam.d. Here's my snippet in
>  /etc/pam.d/login to allow a console login:
>         # auth
>         auth sufficient  pam_self.so     no_warn
>         auth sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
>         auth include     system
>         ...
>  The pam_ldap.so reference will need to be added to other pamd.d files
>  as required, eg: imap, gdm, kde, xdm.
>  Hope this helps.
> --
>  Jonathan Chen <jonc at chen.org.nz>

Well, I must say that this is almost more than I could imagine to get
out of my request..! I will absolutely try this method as soon as
possible. I hope I can make it work, and I will report back with
experiences (and hopefully not) problems/questions.

Jon Theil Nielsen

More information about the freebsd-questions mailing list