Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
LDAP Authentication and Authorization
532 views
Skip to first unread message
Predrag Punosevac
Jun 22, 2017, 3:28:37 PM6/22/17
to
Hi Folks,
This is my first post to this mailing list after ten years so please bear
with me.
I am trying to migrate dozen file servers and jail hosts currently
running FreeNAS 9.2.1.9 or TrueOS (server edition of now dead PC-BSD)
10.3 to vanilla 11.0. I am having a real hard time with LDAP
authentication part on file server.
Before we go any further let me say that in our Lab use LDAP server from
the base of OpenBSD 6.1. We use LDAP for both authorization and
authentication. I have no intension to set Keberos server for
authentication. I also realized this morning that I might not even need
authentication part on FreeBSD file servers as regular users will
not be loggin into the file server. They will be only accessing their
home directories via NFS and I got authorization part working correctly.
However it really bothers me that I can't log into the FreeBSD machine
with LDAP account. Let me describe what I have done in the past and so
far.
FreeNAS 9.2.1.9 both authentication and authorization works like a charm
more or less following "official documentation".
https://www.freebsd.org/doc/en/articles/ldap-auth/
I tried to migrate FreeNAS server to PC-BSD 10.3 but I hit the wall.
https://forums.freebsd.org/threads/52989/
The most disturbing part was post in which I learnt about nss-pam-ldapd
"It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't
use the old security/pam_ldap and net/nss_ldap modules. They've been
abandoned years ago by their upstream and suffer from several severe
design errors. nslcd breaks the LDAP PAM and NSS modules into two parts.
One part is a daemon handling all the heavy work and the other are small
shims querying the daemon over a unix domain socket to implement the NSS
and PAM interface.
which "official documentation" never mentions. By the way the "official
documentation" worked flawlessly for DragonFly BSD.
https://marc.info/?l=dragonfly-users&m=141630435129956&w=2
While contemplating to migration to 11.xxx I was happy to learn that
FreeBSD got ypldap and was possibly contemplating moving away from PAM
insanity
https://www.freebsd.org/cgi/man.cgi?query=ypldap&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html
just to be totally discouraged by the following post
https://marc.info/?l=freebsd-questions&m=149746603212079&w=2
by one of long time FreeBSD users. I don't get why import ypldap code in
the base if FreeBSD is sticking to PAM craziness.
https://marc.info/?l=freebsd-questions&m=149746504411822&w=2
Anyhow this is what works on this file server and what doesn't'
OpenLDAP client works
root@hera:/usr/local/etc/openldap # more ldap.conf
BASE dc=autonlab,dc=org
URI ldap://atlas.int.autonlab.org:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
SSL START_TLS
TLS_REQCERT allow
TLS_CACERT /usr/local/etc/openldap/certs/ca.crt
TLS_CACERTDIR /usr/local/etc/openldap/certs
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
ldapsearch -ZZ -D "uid=predrag,ou=users,dc=autonlab,dc=org" -W
# mravanba, group, autonlab.org
dn: cn=mravanba,ou=group,dc=autonlab,dc=org
cn: mravanba
objectClass: top
objectClass: posixGroup
gidNumber: 1078
memberUid: mravanba
description: User Private Group
# search result
search: 3
result: 4 Size limit exceeded
# numResponses: 13
# numEntries: 12
Following the suggestion from FreeBSD forum threat and based on negative
comments about ypldap daemon I installed
net/nss-pam-ldapd
I configured nslcd daemon
root@hera:/usr/local/etc # more nslcd.conf
uid nslcd
gid nslcd
uri ldap://192.168.6.7/
base dc=autonlab,dc=org
rootpwmoddn cn=admin,dc=autonlab,dc=org
base group ou=groups,dc=autonlab,dc=org
base passwd ou=users,dc=autonlab,dc=org
# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/openldap/certs
tls_cacertfile /usr/local/etc/openldap/certs/ca.crt
and started it
root@hera:/usr/local/etc # cat /etc/rc.conf | grep nslcd
nslcd_enable="YES"
root@hera:/usr/local/etc # service nslcd status
nslcd is running with PID 1074.
I modified nsswitch.conf file
root@hera:~ # more /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
# group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
# passwd_compat: nis
shells: files
# services: compat
services: files ldap
# services_compat: nis
protocols: files
rpc: files
and restart nsswitch daemon
I installed and linked users shells and mounted their home directories
for testing purposes to make sure they can log.
Finally this is my
root@hera:~ # more /etc/pam.d/sshd
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
no_fake_prompts
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
try_first_pass
password required pam_unix.so no_warn
try_first_pass
At this point
getent passwd
works like a charm
and I can even
root@hera:~ # su - predrag
auton@hera$
to my home directory
auton@hera$ pwd
/zfsauton/home/predrag
So at this point I feel like I have authorization part working correctly
and according to this documentation
https://arthurdejong.org/nss-pam-ldapd/setup
I should not be far away from authentication part as well (which I might
not even need on the file server). However when trying to ssh into the
server with LDAP credentials it fails
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: Confidentiality required
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: "${shadowLastChange:--1}": password
changed in the future
Jun 22 15:19:28 hera sshd[2678]: error: PAM: authentication error for
awd from 10.8.0.6
and I also see bunch of other errors in /var/log/messages
Jun 22 02:55:00 hera nslcd[1074]: [65e7c4] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [923f5c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [7e2017] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [533840] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [f1fa0b] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [6d3dc2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:05:00 hera nslcd[1074]: [574d2f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:10:00 hera nslcd[1074]: [8cc0da] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:11:00 hera nslcd[1074]: [c96ec1] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:15:00 hera nslcd[1074]: [86bffd] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:30:00 hera nslcd[1074]: [6a7632] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root"> no
available LDAP server found, sleeping 1 seconds
Jun 22 03:31:01 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:33:00 hera nslcd[1074]: [d1b46c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:35:00 hera nslcd[1074]: [9c649f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:40:00 hera nslcd[1074]: [9285d2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:44:00 hera nslcd[1074]: [901b6e] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:45:00 hera nslcd[1074]: [f93502] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:50:00 hera nslcd[1074]: [075f1e] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
I am stumpped at this point. I think I stumbled late last night on some
thread which claims that
pam_ldap is needed for authentication part. However trying to install
pam_ldap using pkg install also is deinstalling nss-pam-ldapd package.
That could be due to compiling options for nss-pam-ldapd. Maybe the
porter assumes I will set Kerberos for Authentication part.
I appologize for the very long e-mail but I wanted to leave electronic
trace for people who will looking for this. I appreciate any input.
Best,
Predrag
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
This is my first post to this mailing list after ten years so please bear
with me.
I am trying to migrate dozen file servers and jail hosts currently
running FreeNAS 9.2.1.9 or TrueOS (server edition of now dead PC-BSD)
10.3 to vanilla 11.0. I am having a real hard time with LDAP
authentication part on file server.
Before we go any further let me say that in our Lab use LDAP server from
the base of OpenBSD 6.1. We use LDAP for both authorization and
authentication. I have no intension to set Keberos server for
authentication. I also realized this morning that I might not even need
authentication part on FreeBSD file servers as regular users will
not be loggin into the file server. They will be only accessing their
home directories via NFS and I got authorization part working correctly.
However it really bothers me that I can't log into the FreeBSD machine
with LDAP account. Let me describe what I have done in the past and so
far.
FreeNAS 9.2.1.9 both authentication and authorization works like a charm
more or less following "official documentation".
https://www.freebsd.org/doc/en/articles/ldap-auth/
I tried to migrate FreeNAS server to PC-BSD 10.3 but I hit the wall.
https://forums.freebsd.org/threads/52989/
The most disturbing part was post in which I learnt about nss-pam-ldapd
"It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't
use the old security/pam_ldap and net/nss_ldap modules. They've been
abandoned years ago by their upstream and suffer from several severe
design errors. nslcd breaks the LDAP PAM and NSS modules into two parts.
One part is a daemon handling all the heavy work and the other are small
shims querying the daemon over a unix domain socket to implement the NSS
and PAM interface.
which "official documentation" never mentions. By the way the "official
documentation" worked flawlessly for DragonFly BSD.
https://marc.info/?l=dragonfly-users&m=141630435129956&w=2
While contemplating to migration to 11.xxx I was happy to learn that
FreeBSD got ypldap and was possibly contemplating moving away from PAM
insanity
https://www.freebsd.org/cgi/man.cgi?query=ypldap&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html
just to be totally discouraged by the following post
https://marc.info/?l=freebsd-questions&m=149746603212079&w=2
by one of long time FreeBSD users. I don't get why import ypldap code in
the base if FreeBSD is sticking to PAM craziness.
https://marc.info/?l=freebsd-questions&m=149746504411822&w=2
Anyhow this is what works on this file server and what doesn't'
OpenLDAP client works
root@hera:/usr/local/etc/openldap # more ldap.conf
BASE dc=autonlab,dc=org
URI ldap://atlas.int.autonlab.org:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
SSL START_TLS
TLS_REQCERT allow
TLS_CACERT /usr/local/etc/openldap/certs/ca.crt
TLS_CACERTDIR /usr/local/etc/openldap/certs
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
ldapsearch -ZZ -D "uid=predrag,ou=users,dc=autonlab,dc=org" -W
# mravanba, group, autonlab.org
dn: cn=mravanba,ou=group,dc=autonlab,dc=org
cn: mravanba
objectClass: top
objectClass: posixGroup
gidNumber: 1078
memberUid: mravanba
description: User Private Group
# search result
search: 3
result: 4 Size limit exceeded
# numResponses: 13
# numEntries: 12
Following the suggestion from FreeBSD forum threat and based on negative
comments about ypldap daemon I installed
net/nss-pam-ldapd
I configured nslcd daemon
root@hera:/usr/local/etc # more nslcd.conf
uid nslcd
gid nslcd
uri ldap://192.168.6.7/
base dc=autonlab,dc=org
rootpwmoddn cn=admin,dc=autonlab,dc=org
base group ou=groups,dc=autonlab,dc=org
base passwd ou=users,dc=autonlab,dc=org
# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/openldap/certs
tls_cacertfile /usr/local/etc/openldap/certs/ca.crt
and started it
root@hera:/usr/local/etc # cat /etc/rc.conf | grep nslcd
nslcd_enable="YES"
root@hera:/usr/local/etc # service nslcd status
nslcd is running with PID 1074.
I modified nsswitch.conf file
root@hera:~ # more /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
# group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
# passwd_compat: nis
shells: files
# services: compat
services: files ldap
# services_compat: nis
protocols: files
rpc: files
and restart nsswitch daemon
I installed and linked users shells and mounted their home directories
for testing purposes to make sure they can log.
Finally this is my
root@hera:~ # more /etc/pam.d/sshd
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
no_fake_prompts
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
try_first_pass
password required pam_unix.so no_warn
try_first_pass
At this point
getent passwd
works like a charm
and I can even
root@hera:~ # su - predrag
auton@hera$
to my home directory
auton@hera$ pwd
/zfsauton/home/predrag
So at this point I feel like I have authorization part working correctly
and according to this documentation
https://arthurdejong.org/nss-pam-ldapd/setup
I should not be far away from authentication part as well (which I might
not even need on the file server). However when trying to ssh into the
server with LDAP credentials it fails
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: Confidentiality required
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: "${shadowLastChange:--1}": password
changed in the future
Jun 22 15:19:28 hera sshd[2678]: error: PAM: authentication error for
awd from 10.8.0.6
and I also see bunch of other errors in /var/log/messages
Jun 22 02:55:00 hera nslcd[1074]: [65e7c4] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [923f5c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [7e2017] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [533840] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [f1fa0b] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [6d3dc2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:05:00 hera nslcd[1074]: [574d2f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:10:00 hera nslcd[1074]: [8cc0da] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:11:00 hera nslcd[1074]: [c96ec1] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:15:00 hera nslcd[1074]: [86bffd] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:30:00 hera nslcd[1074]: [6a7632] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root"> no
available LDAP server found, sleeping 1 seconds
Jun 22 03:31:01 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:33:00 hera nslcd[1074]: [d1b46c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:35:00 hera nslcd[1074]: [9c649f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:40:00 hera nslcd[1074]: [9285d2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:44:00 hera nslcd[1074]: [901b6e] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:45:00 hera nslcd[1074]: [f93502] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:50:00 hera nslcd[1074]: [075f1e] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
I am stumpped at this point. I think I stumbled late last night on some
thread which claims that
pam_ldap is needed for authentication part. However trying to install
pam_ldap using pkg install also is deinstalling nss-pam-ldapd package.
That could be due to compiling options for nss-pam-ldapd. Maybe the
porter assumes I will set Kerberos for Authentication part.
I appologize for the very long e-mail but I wanted to leave electronic
trace for people who will looking for this. I appreciate any input.
Best,
Predrag
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Predrag Punosevac
Jun 24, 2017, 8:22:33 AM6/24/17
to
Hi Folks,
Just to post the solution for the people who might stumble on my
original post.
I had a permission problem on the LDAP server certificate file which
could not have been read by nslcd daemon. Original nslcd.conf file I
posted is also not quite correct so his is the complete how-to.
Note that you don't have to have openldap-client working at all to be
able to authorize and authenticate to FreeBSD server using LDAP account
only (ldap search will not work though). The most effective way to use
PAM approach is to
pkg install nss-pam-ldapd
cd /usr/local/etc/
Edit nslcd.conf file to use OpenLDAP server side certificate to get user
credentials.
root@hera:/usr/local/etc # more nslcd.conf
uid nslcd
gid nslcd
uri ldap://atlas.int.autonlab.org
base dc=autonlab,dc=org
# StartTLS
ssl start_tls
# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/nslcd-certs
tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt
Note that nslcd runs as nslcd user so the file
/usr/local/etc/nslcd-certs/ca.crt
must be readable by nslcd daemon
root@hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt
-r-------- 1 nslcd nslcd 1448 Jun 23 22:21
/usr/local/etc/nslcd-certs/ca.crt
enable nslcd daemon
echo 'nslcd_enable="YES"' >> /etc/rc.conf
start the daemon
service nslcd start
(note that for debugging purpose run as nslcd -d)
Edit your /etc/nsswitch file and restart nsswitch
root@hera:~ # more /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
s/passwd: compat/passwd: files ldap/
s/services: compat/services: files ldap/
To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so
option
root@hera:~ # more /etc/pam.d/sshd
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
will not be allowed if her/his shell (specified in LDAP data base) is
not installed/linked and home directory (specified in LDAP data base)
not mounted (see security/pam_mkhomedir for work around). Also LDAP
server from the base of OpenBSD doesn't allow password change.
Enjoy,
Just to post the solution for the people who might stumble on my
original post.
I had a permission problem on the LDAP server certificate file which
could not have been read by nslcd daemon. Original nslcd.conf file I
posted is also not quite correct so his is the complete how-to.
Note that you don't have to have openldap-client working at all to be
able to authorize and authenticate to FreeBSD server using LDAP account
only (ldap search will not work though). The most effective way to use
PAM approach is to
pkg install nss-pam-ldapd
cd /usr/local/etc/
Edit nslcd.conf file to use OpenLDAP server side certificate to get user
credentials.
root@hera:/usr/local/etc # more nslcd.conf
uid nslcd
gid nslcd
base dc=autonlab,dc=org
# StartTLS
ssl start_tls
# CA certificates for server certificate verification
tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt
Note that nslcd runs as nslcd user so the file
/usr/local/etc/nslcd-certs/ca.crt
must be readable by nslcd daemon
root@hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt
-r-------- 1 nslcd nslcd 1448 Jun 23 22:21
/usr/local/etc/nslcd-certs/ca.crt
enable nslcd daemon
echo 'nslcd_enable="YES"' >> /etc/rc.conf
start the daemon
service nslcd start
(note that for debugging purpose run as nslcd -d)
Edit your /etc/nsswitch file and restart nsswitch
root@hera:~ # more /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
# services: compat
services: files ldap
shells: files
# services: compat
services: files ldap
services_compat: nis
protocols: files
rpc: files
s/group: compat/group: files ldap/
protocols: files
rpc: files
s/passwd: compat/passwd: files ldap/
s/services: compat/services: files ldap/
To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so
option
root@hera:~ # more /etc/pam.d/sshd
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
try_first_pass
# account
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
session required pam_permit.so
# password
# password
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
try_first_pass
password required pam_unix.so no_warn
try_first_pass
Make sure the above uses correct format (tab separators). Note that uses
password sufficient /usr/local/lib/pam_ldap.so
try_first_pass
password required pam_unix.so no_warn
try_first_pass
will not be allowed if her/his shell (specified in LDAP data base) is
not installed/linked and home directory (specified in LDAP data base)
not mounted (see security/pam_mkhomedir for work around). Also LDAP
server from the base of OpenBSD doesn't allow password change.
Enjoy,
0 new messages