Quick and
dirty FreeBSD 5.x and nss_ldap mini-HOWTO
20030807 : version 0.01.1
Clement Laforet
<sheepkiller@cultdeadsheep.org>
I. Introduction:
Since 5.1, FreeBSD support NSS module.
For the moment, only nss_ldap module is in the ports tree, MySQL one is
still pending (</subliminal message to ports committers 8-)>).
Why using LDAP as NSS backend ?
I have nearly 7 PC at home, and some "external user", with different
access (inn, apache, etc.) so I need a flexible
authentication/indentification backend: LDAP is a solution.
I wrote this quick and dirty mini howto after a small thread on
freebsd-questions.
II. Getting started
2.1 Getting FreeBSD 5.x
Install or upgrade your system to, at least, FreeBSD 5.1. I won't cover
this, the Handbook already contains all informations you need
accomplish this task.
2.2 Installing software
What do we need ?
- An OpenLDAP server to store all users.
- On the client side : LDAP libraries, nss_ldap and pam_ldap.
- Optionnaly a web frontend and others schemas (i.e.: samba)
I recommand you to use OpenLDAP 2.1.
On the server:
[root@test
~]# cd /usr/ports/net/openldap21/
[root@test
openldap21]# make install clean
<snip>
On the client(s):
[root@test
~]# cd /usr/ports/net/openldap21/
[root@test
openldap21]# make CLIENT_ONLY=yes install clean
<snip>
[root@test
~]# cd /usr/ports/net/nss_ldap/
[root@test
openldap21]# make install clean
<snip>
[root@test
~]# cd /usr/ports/security/pam_ldap/
[root@test
openldap21]# make install clean
<snip>
III. Quick LDAP configuration
3.1 Setting up the server
This setup is NOT very secure, but it's
a good way to get familiar with OpenLDAP. You'll need to add ACL later.
Please refer to OpenLDAP documentation for this.
First of all you have to generate a new password.
For this, use slappasswd (8).
[root@test
~]# slappasswd -s LamePassword
{SSHA}VV8wdb4sGLy7Lroi4gxXaj33jCm9tGtP
Here a sample slapd.conf
# slapd.conf
include
/usr/local/etc/openldap/schema/core.schema
include
/usr/local/etc/openldap/schema/cosine.schema
include
/usr/local/etc/openldap/schema/nis.schema
pidfile
/var/run/ldap/slapd.pid
argsfile
/var/run/ldap/slapd.args
database
bdb
suffix
"dc=test,dc=org"
rootdn
"cn=Manager,dc=test,dc=org"
rootpw
{SSHA}VV8wdb4sGLy7Lroi4gxXaj33jCm9tGtP
directory
/var/db/openldap-data
index
objectClass eq
index
uid
pres,eq,sub
Rename OpenLDAP rc.d script.
[root@test
~]# mv /usr/local/etc/rc.d/slapd.sh.sample /usr/local/etc/rc.d/slapd.sh
Start slapd.
[root@test
~]# /usr/local/etc/rc.d/slapd.sh start
[root@test
~]# chmod 440 /usr/local/etc/openldap/slapd.conf
[root@test
~]# chown ldap:ldap /usr/local/etc/openldap/slapd.conf
[root@resr
~]# chown -R ldap:ldap /var/db/openldap*
3.2 Populate database
We need LDIF format for population the database, using slapadd.
Sample LDIF intital entry file:
test.ldif
dn:
dc=test,dc=org
dc: test
objectClass:
top
objectClass:
domain
objectClass:
domainRelatedObject
associatedDomain:
test.org
structuralObjectClass:
domain
dn:ou=groups,
dc=test, dc=org
objectclass:
top
objectclass:
organizationalUnit
ou: groups
structuralObjectClass:
organizationalUnit
dn:ou=people,
dc=test, dc=org
objectclass:
top
objectclass:
organizationalUnit
ou: people
structuralObjectClass:
organizationalUnit
dn:
cn=StupidTest User, ou=people, dc=test, dc=org
cn:
StupidTest User
sn: Dummy
objectclass:
top
objectclass:
person
objectclass:
posixAccount
objectclass:
shadowAccount
uid:testuser
userpassword:{SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1
uidnumber:1000
gidnumber:1000
gecos:TestUser
loginShell:/bin/csh
homeDirectory:
/home/test
dn: cn=test,
ou=groups, dc=test, dc=org
objectclass:
top
objectclass:
posixGroup
cn: test
gidnumber:
1000
memberuid:
test
Submit initial LDIF.
[root@test
~]# slapadd -l /root/ldif
And it should be OK ! :-)
You have to use the template below to add new users :
dn: cn=StupidTest
User2, ou=people, dc=test, dc=org
cn:
StupidTest User2
sn: Dummy
objectclass:
top
objectclass:
person
objectclass:
posixAccount
objectclass:
shadowAccount
uid:testuser2
userpassword:{SSHA}wU0T6ixZb9sU2+JTK8Au8sq7noNfMkbv
uidnumber:1001
gidnumber:1001
gecos:TestUser
loginShell:/bin/csh
homeDirectory:
/home/test2
dn: cn=test2,
ou=groups, dc=test, dc=org
objectclass:
top
objectclass:
posixGroup
cn: test2
gidnumber:
1001
memberuid:
test2
memberuid:
test
IV
nss_ldap/pam_ldad/nsswitch.conf configuration.
${PREFIX}/etc/ldap.conf is used by
pam_ldap and ${PREFIX}/etc/nss_ldap.conf by nss_ldap.
4.1 nss_ldap
my ${PREFIX}/etc/nss_ldap.conf//${PREFIX}/etc/ldap.conf
host 127.0.0.1
base
dc=test,dc=org
uri
ldap://127.0.0.1:389/
binddn
cn=manager,dc=test,dc=org
bindpw
LamePassword
port 389
nss_base_passwd
ou=People,dc=test,dc=org?one
nss_base_group
ou=Groups,dc=test,dc=org?one
pam_password
SSHA
[root@test
~]# ln -s /etc/ldap.conf /usr/local/etc/ldap.conf
4.2 pam_ldap
In your /etc/pam.d directory, you have your pam services entries.
You have to add this line before "required" auth section.
auth
sufficient /usr/local/lib/pam_ldap.so
no_warn try_first_pass
sample :
#
# $FreeBSD:
src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM
configuration for the "sshd" service
#
# auth
#auth
required
pam_nologin.so
no_warn
#auth
sufficient
pam_opie.so
no_warn no_fake_prompts
#auth
requisite
pam_opieaccess.so no_warn
allow_local
#auth
sufficient
pam_krb5.so
no_warn try_first_pass
#auth
sufficient
pam_ssh.so
no_warn try_first_pass
auth
sufficient /usr/local/lib/pam_ldap.so
no_warn try_first_pass
auth
required
pam_unix.so
no_warn try_first_pass
<snip>
4.3 nsswitch.conf
edit your config file like this:
[root@test
~]# cat /etc/nsswitch.conf
passwd:
files ldap
group:
files ldap
Maybe on startup, LDAP will take some time to load, but don't worry,
it's just the id lookup (slapd listens on his port, and lookup for user
ldap lookup, but the server will never answer since it's not working at
this time)
4.4 testing
[root@test
~]# id testuser
uid=1000(testuser)
gid=1000(test) groups=1000(test)
[root@test
~]# id testuser2
uid=1001(testuser2)
gid=1001(test2) groups=1001(test2)
[root@test
~]# finger testuser
Login:
testuser
Name: TestUser
Directory:
/home/test
Shell: /bin/csh
On since Thu
Aug 7 15:24 (CEST) on ttyp2, idle 0:11, from chuck
No Mail.
No Plan.
[root@test
~]# ssh testuser@localhost
The
authenticity of host 'localhost (::1)' can't be established.
DSA key
fingerprint is 24:a9:56:81:80:21:33:01:7f:e3:64:30:95:52:16:3d.
Are you sure
you want to continue connecting (yes/no)? yes
Warning:
Permanently added 'localhost' (DSA) to the list of known hosts.
Password:
Last login:
Thu Aug 7 15:24:10 2003 from chuck.cultdeads
Copyright (c)
1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD
5.1-CURRENT (TEST) #0: Thu Jul 31 03:00:20 CEST 2003
Welcome to
FreeBSD!
Before
seeking technical support, please use the following resources:
o
Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The
Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still
have a question or problem, please take the output of
`uname -a',
along with any relevant error messages, and email it
as a question
to the questions@FreeBSD.org mailing list. If you are
unfamiliar
with FreeBSD's directory layout, please refer to the hier(7)
manual
page. If you are not familiar with manual pages, type `man man'.
You may also
use sysinstall(8) to re-enter the installation and
configuration
utility. Edit /etc/motd to change this login announcement.
%id
uid=1000(testuser) gid=1000(test) groups=1000(test)
TODO:
- Changing password section
- Web front end section
- samba + LDAP section
- secured version of this document