The sequel of my setup of openldap on FreeBSD 7.1. This time the configuration of the clients.
If you want to read the short introduction to setting up a server, then you can find
it
here
The first thing we need to do is install the necessary packages. For the configuration
described here we need at least the following (or newer versions of course):
nss_ldap-1.264_1
openldap-client-2.4.13
pam_ldap-1.8.4_1
pam_mkhomedir-0.1
sudo-1.6.9.20
After installation of these packages we can start to configure everything. First we have to make a
/usr/local/etc/ldap.conf. Mine contains the following lines:
host hildr.jeroen.se
base dc=jeroen,dc=se
uri ldaps://hildr.jeroen.se/
binddn uid=nss,dc=jeroen,dc=se
bindpw xxxxxxxxxx
rootbinddn cn=Manager,dc=jeroen,dc=se
port 389
pam_check_host_attr yes
nss_base_passwd ou=People,dc=jeroen,dc=se
nss_base_shadow ou=People,dc=jeroen,dc=se
nss_base_group ou=Group,dc=jeroen,dc=se
ssl on
tls_checkpeer no
tls_reqcert allow
tls_ciphers HIGH:MEDIUM:-SSLv2
sudoers_base ou=SUDOers,dc=jeroen,dc=se
In the configuration above nss is the user that will be used for connecting to the ldap server. This
user should exist in LDAP of course. We also have to set the appropriate password by the bindpw option.
And do not forget to change the other options to fit your situation as well.
Now we have created the ldap.conf file, we link
/usr/local/etc/nss_ldap.conf to /usr/local/etc/ldap.conf.
rm /usr/local/etc/nss_ldap.conf
ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
We also have to
create a /usr/local/etc/ldap.secret file which normally contains the password of the
root user for connecting to the ldap. Because we will not be connecting as root user to
our ldap server from the clients it is enough to run the following commands:
touch /usr/local/etc/ldap.secret
chmod 600 /usr/local/etc/ldap.secret
Believe it or not, but we are almost done configuring already. We just have to make sure
that the directory where the user home directories are being placed exists. After that we have
to edit 3 files. First /etc/nsswitch.conf, which should look like this:
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Then /etc/pam.d/sshd, which should look like this:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_unknown_user
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so debug umask=0077 skel=/usr/local/share/skel
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
And finally /etc/pam.d/system
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
session required /usr/local/lib/pam_mkhomedir.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
After all this we should be able to login with the ldap user accounts on the client. Assuming of
course the user is correctly configured in the OpenLDAP server.
