Authentication with LDAP on DragonFly BSD

Predrag Punosevac punosevac72 at gmail.com
Fri Jun 27 20:56:30 PDT 2014 

This is not a question but rather a short summary of what I have done to
enable authentication with LDAP on DragonFly BSD. Before you get too
excited I will tell you that I didn't manage to work but I feel it is
very close.

For the purpose of this exercise you will need the following packages
installed

1. openldap-client
2. pam_ldap

and I am guessing 

3.  net/nss_ldap

is needed but it is not in the packages and it is probably the reason I
can't get it to work.

Step 1. I configured 

/usr/local/etc/openldap/ldap.conf

the same way as on OpenBSD, FreeBSD/FreeNAS or Red Hat

BASE    dc=autonlab,dc=org
URI     ldap://atlas.int.autonlab.org:389

SIZELIMIT       12
TIMELIMIT       15
DEREF   never

SSL START_TLS
TLS_REQCERT allow

TLS_CERT        /usr/local/etc/openldap/certs/ca.crt
TLS_CACERTDIR   /usr/local/etc/openldap/certs
TLS_CIPHER_SUITE        HIGH:MEDIUM:+SSLv3


At this point I tested 

ldapsearch -ZZ -D "cn=admin,dc=autonlab,dc=org"  -W

works as a charm (obviously with TLS enabled).

Step 2. I installed pam_ldap. Following installation message I created 
ldap file in /etc/pam.d/ with the following line added 

login   auth    sufficient      /usr/local/lib/pam_ldap.so

Note that for ssh login one will probably have to edit
pam.d/sshd with something like this 

account         required        /usr/local/lib/pam_ldap.so      no_warn
ignore_authinfo_unavail ignore_unknown_user

as well to edit /etc/ssh/sshd_config with something like 

auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn

Installation message also says "Copy /usr/local/etc/ldap.conf.dist to
/usr/local/etc/ldap.conf, then edit /usr/local/etc/ldap.conf in order to
use this module." which is well known to me. Namely on FreeBSD
/usr/local/etc/ldap.conf is the configuration file for ldap client
rather than /usr/local/etc/openldap/ldap.conf. At this point I
shamelessly copied /usr/local/etc/ldap.conf from one of my FreeNAS
server and adjusted the patch to certificate.

host atlas.int.autonlab.org
base dc=autonlab,dc=org
rootbinddn
pam_password md5
nss_override_attribute_value loginShell /bin/sh
nss_base_passwd dc=autonlab,dc=org
nss_base_group dc=autonlab,dc=org
ssl start_tls
tls_cacertfile /usr/local/etc/openldap/certs/ca.crt
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid 

Step 3. I tried to install net/nss_ldap

backup1# pkg install nss_ldap
Updating repository catalogue
pkg: No packages matching 'nss_ldap' available in the repositories

Unfortunately it is not there so I moved to step 4.

Step 4. Edit /etc/nsswitch.conf file by replacing 

group: compat
passwd: compat

with 

group: files ldap
passwd: files ldap

Step 5. 

/etc/rc.d/nsswitch restart 


Step 6. Unfortunately it didn't work

backup1# id predrag
id: predrag: no such user

I am posting this in part in a hope that somebody can point out mistakes
I am making and help me get this working.


Most Kind Regards,
Predrag

More information about the Users mailing list