FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
O. Hartmann
ohartman at zedat.fu-berlin.de
Fri Sep 28 11:30:08 PDT 2007
Thank you for responding.
So, I'll feel free reporting my bad luck. This is a reference page I
consulted for some hints, but without success:
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
First, OS ist the most recent FreeBSD 7.0.
OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or
anything else apart from default
PAM_LDAP
NSS_LDAP
I renamed cached.conf to nscd.conf as suggested (for your information).
In /etc/nsswitch.conf I changed
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
I also changed /etc/pam.d/sshd to this:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
Both configuration files for nss_ldap and pam_ldap respective got linked
to /usr/localetc/openldap/ldap.conf, which looks like this:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=foo,dc=org
#URI ldapi:///
URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/
#SSL start_tls
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERT
#TLS_CERT
#TLS_KEY
#TLS_REQCERT allow
#TLS_REQCERT demand
#TLS_CHECKPEER yes
My /etc/rc.conf.local file has the following OpenLDAP specific entry:
###########################################################
### OpenLDAP Server ###
###########################################################
slapd_enable="YES"
#slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap:/// ldaps:///"'
slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap://192.168.2.210 ldaps://192.168.2.210"'
slapd_sockets="/var/run/openldap/ldapi"
My OpenLDAP config file has SSL-certificates disabled.
After the installation of nss_ldap the slapd server takes several
decades of seconds to start. But it starts well and after it has
initiated itself, I can do on the server a simple 'slapcat' and receive.
But I can't access the LDAP server. Doing an 'id testuser' results in
'id not found'.
On the console, I receive massively errors like this:
TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received data after socket was closed,
sending RST and removing tcpcb
Well, I checked sockstat for a listening slapd and I found slapd
listening on both loopback, local NIC adn on both ports 389 and 636.
So what is wrong ?
Regards,
a desperate Oliver
Brian A. Seklecki wrote:
> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
> (PKI).
>
> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
> interactive shell, SFTP, etc.) can be tied into LDAP either directly or
> via PAM.
>
> As for password change, I don't know if anyone has a passwd(1) binary
> that properly changes the LDAP password attribute -- if there is and its
> out there, it requires ACL insanity. Like Oracle, you can either
> understand OpenLDAP ACLs, or you have real work to do >:}
>
> Check the nss_pam.conf and nss_ldap.conf configs in local/etc/*
> -- set to "debug 1" to get debugging info. Feel free to share
> error messages.
>
> ~BAS
>
> On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote:
>
>> Hello out there,
>> I have a problem with setting up an FreeBSD box as OpenLDAP server with
>> several services, like SAMBA, NFS.
>>
>> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also
>> acting as OpenLDAP server. So far. OpenLDAP is up and running, using
>> TLS/SSL certificate. SAMBA is also up and running - but it never
>> connects to the OpenLDAP server due to an connection error, but this
>> shouldn't be the subject here, I have more basic questions about what
>> FreeBSD already has and what to install additionally.
>>
>> I want customers to log in on the FBSD box, so they sould log in
>> (authenticated via OpenLDAP), change their passwords and shells and
>> those user specifica should be updated on the LDAP server.
>>
>> I already installed pam_ldap-port but ran into trouble because FreeBSD's
>> nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server
>> (and not files).
>> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff,
>> especially if SSL/TLS come into play and I would like to ask those
>> herein administering those setups, especially within a hybrid NFS/SAMBA
>> fileservicing environment, where to find up to date
>> informationes/howto/tipps.
>>
>> Most websites and HowTo's I found were Linux related or, if related to
>> FreeBSD, outdated.
>>
>> Sorry beeing so unspecific, but the problem is complex (to me) so I
>> would better ask for those who are willing to help or give hints and tips.
>>
>> Thanks in advance and for your patience,
>> Oliver
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>>
>>
>>
>>
>>
>>
>
>
More information about the freebsd-questions
mailing list