3

I am using FreeBSD 7.2 as an NFS server, and as a client to an OpenLDAP server (which runs Debian etch). When users access their files on the NFS server, the users' UIDs are looked up in the ldap server and mapped to their usernames (via nsswitch). My problem is that even after configuring FreeBSD as a client for the ldap server, it is unable to authenticate.

I know the configuration is correct because entering "ldapsearch" gives me a list of all users on the ldap server. I used the doc at http://www.freebsd.org/doc/en/articles/ldap-auth/client.html to do the configuration. Is anything missing in these docs?

Here is the ldap.conf used by PAM/NSS:

[root@csastorage /csastore]# cat /usr/local/etc/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE    dc=cl,dc=csa,dc=iisc,dc=ernet,dc=in
URI     ldaps://<server address>/

TLS_REQCERT     allow
TLS_CACERT      /usr/local/etc/openldap/server.pem


#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

pam_login_attribute uid
SaveTheRbtz
  • 5,621
  • 4
  • 29
  • 45
donatello
  • 746
  • 1
  • 9
  • 16

1 Answers1

2

For really good OpenLDAP support under FreeBSD you need:

  • nss_ldap
  • pam_ldap - PAM ldap module
  • pam_mkhomedir - to automatically create users' homedir from skel after first login
  • sudo - with LDAP support
  • openssh-portable - with LPK patch (for users ssh keys in LDAP)

add following to /etc/pam.d/sshd

auth    sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
account required   /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
session required   /usr/local/lib/pam_mkhomedir.so debug mode=0755 skel=/usr/local/share/skel

to /etc/pam.d/system add

auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
account         required        /usr/local/lib/pam_ldap.so      ignore_authinfo_unavail ignore_unknown_user
session         required        /usr/local/lib/pam_mkhomedir.so  debug umask=0077 skel=/usr/local/share/skel
password        sufficient      /usr/local/lib/pam_ldap.so      use_authok

replace group passwd and sudoers in /etc/nsswitch.conf by following:

group: files cache ldap
passwd: files cache ldap
sudoers: files cache ldap

You also need to modify

  • /usr/local/etc/nss_ldap.conf
  • /usr/local/etc/ldap.conf
  • /usr/local/etc/ssh/sshd_config (For LDAP keys support)
  • /etc/nscd.conf (For caching)
SaveTheRbtz
  • 5,621
  • 4
  • 29
  • 45