LDAP Authentication and Authorization

Predrag Punosevac punosevac72 at gmail.com
Sat Jun 24 12:22:12 UTC 2017

Hi Folks,

Just to post the solution for the people who might stumble on my
original post. 

I had a permission problem on the LDAP server certificate file which
could not have been read by nslcd daemon. Original nslcd.conf file I
posted is also not quite correct so his is the complete how-to.

Note that you don't have to have openldap-client working at all to be
able to authorize and authenticate to FreeBSD server using LDAP account
only (ldap search will not work though). The most effective way to use
PAM approach is to

pkg install nss-pam-ldapd
cd /usr/local/etc/

Edit nslcd.conf file to use OpenLDAP server side certificate to get user

root at hera:/usr/local/etc # more nslcd.conf

uid nslcd
gid nslcd

uri ldap://atlas.int.autonlab.org
base dc=autonlab,dc=org

# StartTLS 
ssl start_tls

# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/nslcd-certs
tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt

Note that nslcd runs as nslcd user so the file 


must be readable by nslcd daemon 

root at hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt 
-r--------  1 nslcd  nslcd  1448 Jun 23 22:21

enable nslcd daemon 

echo 'nslcd_enable="YES"' >> /etc/rc.conf

start the daemon 

service nslcd start

(note that for debugging purpose run as nslcd -d)

Edit your /etc/nsswitch file and restart nsswitch

root at hera:~ # more /etc/nsswitch.conf 
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
# group: compat
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
# services: compat
services: files ldap
services_compat: nis
protocols: files
rpc: files

s/group: compat/group: files ldap/
s/passwd: compat/passwd: files ldap/
s/services: compat/services: files ldap/

To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so

root at hera:~ # more /etc/pam.d/sshd 
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
# PAM configuration for the "sshd" service

# auth
auth            sufficient      pam_opie.so             no_warn
auth            requisite       pam_opieaccess.so       no_warn
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn

# account
account         required        pam_nologin.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

# password
password        sufficient      /usr/local/lib/pam_ldap.so
password        required        pam_unix.so             no_warn

Make sure the above uses correct format (tab separators). Note that uses
will not be allowed if her/his shell (specified in LDAP data base)  is
not installed/linked and home directory (specified in LDAP data base)
not mounted (see security/pam_mkhomedir for work around). Also LDAP
server from the base of OpenBSD doesn't allow password change.


More information about the freebsd-questions mailing list