Authentication with LDAP on DragonFly BSD
Predrag Punosevac
punosevac72 at gmail.com
Fri Jun 27 20:56:30 PDT 2014
This is not a question but rather a short summary of what I have done to
enable authentication with LDAP on DragonFly BSD. Before you get too
excited I will tell you that I didn't manage to work but I feel it is
very close.
For the purpose of this exercise you will need the following packages
installed
1. openldap-client
2. pam_ldap
and I am guessing
3. net/nss_ldap
is needed but it is not in the packages and it is probably the reason I
can't get it to work.
Step 1. I configured
/usr/local/etc/openldap/ldap.conf
the same way as on OpenBSD, FreeBSD/FreeNAS or Red Hat
BASE dc=autonlab,dc=org
URI ldap://atlas.int.autonlab.org:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
SSL START_TLS
TLS_REQCERT allow
TLS_CERT /usr/local/etc/openldap/certs/ca.crt
TLS_CACERTDIR /usr/local/etc/openldap/certs
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
At this point I tested
ldapsearch -ZZ -D "cn=admin,dc=autonlab,dc=org" -W
works as a charm (obviously with TLS enabled).
Step 2. I installed pam_ldap. Following installation message I created
ldap file in /etc/pam.d/ with the following line added
login auth sufficient /usr/local/lib/pam_ldap.so
Note that for ssh login one will probably have to edit
pam.d/sshd with something like this
account required /usr/local/lib/pam_ldap.so no_warn
ignore_authinfo_unavail ignore_unknown_user
as well to edit /etc/ssh/sshd_config with something like
auth sufficient /usr/local/lib/pam_ldap.so no_warn
Installation message also says "Copy /usr/local/etc/ldap.conf.dist to
/usr/local/etc/ldap.conf, then edit /usr/local/etc/ldap.conf in order to
use this module." which is well known to me. Namely on FreeBSD
/usr/local/etc/ldap.conf is the configuration file for ldap client
rather than /usr/local/etc/openldap/ldap.conf. At this point I
shamelessly copied /usr/local/etc/ldap.conf from one of my FreeNAS
server and adjusted the patch to certificate.
host atlas.int.autonlab.org
base dc=autonlab,dc=org
rootbinddn
pam_password md5
nss_override_attribute_value loginShell /bin/sh
nss_base_passwd dc=autonlab,dc=org
nss_base_group dc=autonlab,dc=org
ssl start_tls
tls_cacertfile /usr/local/etc/openldap/certs/ca.crt
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid
Step 3. I tried to install net/nss_ldap
backup1# pkg install nss_ldap
Updating repository catalogue
pkg: No packages matching 'nss_ldap' available in the repositories
Unfortunately it is not there so I moved to step 4.
Step 4. Edit /etc/nsswitch.conf file by replacing
group: compat
passwd: compat
with
group: files ldap
passwd: files ldap
Step 5.
/etc/rc.d/nsswitch restart
Step 6. Unfortunately it didn't work
backup1# id predrag
id: predrag: no such user
I am posting this in part in a hope that somebody can point out mistakes
I am making and help me get this working.
Most Kind Regards,
Predrag
More information about the Users
mailing list