LDAP Authentication and Authorization

Predrag Punosevac punosevac72 at gmail.com
Sat Jun 24 12:22:12 UTC 2017 

Hi Folks,

Just to post the solution for the people who might stumble on my
original post. 

I had a permission problem on the LDAP server certificate file which
could not have been read by nslcd daemon. Original nslcd.conf file I
posted is also not quite correct so his is the complete how-to.

Note that you don't have to have openldap-client working at all to be
able to authorize and authenticate to FreeBSD server using LDAP account
only (ldap search will not work though). The most effective way to use
PAM approach is to

pkg install nss-pam-ldapd
cd /usr/local/etc/

Edit nslcd.conf file to use OpenLDAP server side certificate to get user
credentials.

root at hera:/usr/local/etc # more nslcd.conf


uid nslcd
gid nslcd

uri ldap://atlas.int.autonlab.org
base dc=autonlab,dc=org

# StartTLS 
ssl start_tls

# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/nslcd-certs
tls_cacertfile /usr/local/etc/nslcd-certs/ca.crt


Note that nslcd runs as nslcd user so the file 

/usr/local/etc/nslcd-certs/ca.crt

must be readable by nslcd daemon 

root at hera:~ # ls -l /usr/local/etc/nslcd-certs/ca.crt 
-r--------  1 nslcd  nslcd  1448 Jun 23 22:21
/usr/local/etc/nslcd-certs/ca.crt


enable nslcd daemon 

echo 'nslcd_enable="YES"' >> /etc/rc.conf

start the daemon 

service nslcd start

(note that for debugging purpose run as nslcd -d)

Edit your /etc/nsswitch file and restart nsswitch

root at hera:~ # more /etc/nsswitch.conf 
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
# services: compat
services: files ldap
services_compat: nis
protocols: files
rpc: files

s/group: compat/group: files ldap/
s/passwd: compat/passwd: files ldap/
s/services: compat/services: files ldap/


To allow ssh login only edit /etc/pam.d/sshd by adding pam_ldap.so
option

root at hera:~ # more /etc/pam.d/sshd 
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn
try_first_pass

# account
account         required        pam_nologin.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

# password
try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass


Make sure the above uses correct format (tab separators). Note that uses
will not be allowed if her/his shell (specified in LDAP data base)  is
not installed/linked and home directory (specified in LDAP data base)
not mounted (see security/pam_mkhomedir for work around). Also LDAP
server from the base of OpenBSD doesn't allow password change.


Enjoy,
Predrag

More information about the freebsd-questions mailing list