Setting up pam_ldap & nss_ldap

Joerg Pulz Joerg.Pulz at frm2.tum.de
Thu Sep 2 12:38:31 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 2 Sep 2004, Curtis Vaughan wrote:

> On 5.3-Beta I have installed pam_ldap and nss_ldap.
>
> Then I edited the following files:
>
> /usr/local/etc/ldap.conf
> /etc/nsswitch.conf
> files within /etc/pam.d
> particularly /etc/pam.d/ldap and ./sshd and ./su
> /usr/local/etc/nss_ldap.conf
>
> I think that's it.  I can provide each of those files if necessary. 
> Nonetheless authentication for users not local to this system is not 
> occurring (which would normally occur for me under Linux).  I have tried 
> authenticating the following ways: 1) through ssh; 2) through su.  I have 
> noticed, however, that the way I do this under Linux is not the same as for 
> FreeBSD.  So, it's quite possible that I have left something out.  Anyhow, I 
> would appreciate any input into what needs to be configured to get this to 
> work.

i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP 
accounts via nss_ldap and pam_ldap.
it works perfectly.

/etc/nsswitch.conf
- ---
passwd: files [NOTFOUND=continue] ldap
group: files [NOTFOUND=continue] ldap
shells: files
hosts: files dns
- ---

/etc/pam.d/sshd
- ---
# auth
auth   required   pam_nologin.so             no_warn
auth   sufficient pam_opie.so                no_warn no_fake_prompts
auth   requisite  pam_opieaccess.so          no_warn allow_local
#auth  sufficient pam_krb5.so                no_warn try_first_pass
#auth  sufficient pam_ssh.so                 no_warn try_first_pass
auth   sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug
auth   required   pam_unix.so                no_warn try_first_pass

# account
#account required   pam_krb5.so
account  required   pam_login_access.so
account  sufficient /usr/local/lib/pam_ldap.so
account  required   pam_unix.so

# session
#session optional   pam_ssh.so
session  required   pam_permit.so

# password
#password sufficient pam_krb5.so                no_warn try_first_pass
password  sufficient /usr/local/lib/pam_ldap.so use_authok
password  required   pam_unix.so                no_warn try_first_pass
- ---

/usr/local/etc/nss_ldap.conf (without TLS stuff)
- ---
host ldap1.example.com ldap2.example.com
base dc=example,dc=com
ldap_version 3
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one
# debug testing
#logdir /var/log
#debug 9
- ---

i use the same configuration for pam_ldap and nss_ldap, so create a 
symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or 
make an exact copy. all other entries in nss_ldap are commented out for 
me.
Don't forget to change "dc=example,dc=com" and "ldap1.example.com 
ldap2.example.com" to your values.

there is no need for a .secret file for pam_ldap or nss_ldap.
to be clear, if you set a rootbinddn or binddn which has the right to read 
the userPassword attribute, a getpwent(3) call would return all password 
hashes which is surely not what you want. the better way is to let 
nss_ldap only return the account information without the password and let 
pam_ldap try to bind as the users dn with the submitted password.

another point is, that the whole pam_ldap stuff can be skipped if you use 
a binddn or rootbinddn with nss_ldap and this dn is allowed to read the 
userPassword attribute as the password is available to pam_unix and makes 
authentication possible. but remember the risk that someone is able to use 
getpwent(3) to get all password hashes that are stored in LDAP.

if it's still not working for you, uncomment the "logdir" and "debug" line 
in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a 
new login you will find a file "ldap.<PID>" in the directory specified as 
"logdir". the whole LDAP lookup and LDAP bind phase is written to this 
file so one can analyze whats working or not.

feel free to ask again if you still have problems.

regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq
EA/iC/hSxEjtrBwnaBoIXAU=
=GlqU
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list