Difference between revisions of "Ldap auth"

From Secure Computing Wiki
Jump to: navigation, search
(New page: This is the complete procedure for setting a host up to use LDAP for authentication on the example network. <ol> <li>First, install the following ports: * security/pam_ldap * secruity/pam...)
 
(added nscd line to rc.conf)
Line 8: Line 8:
 
* security/sudo
 
* security/sudo
 
** Enable LDAP and INSULTS</li>
 
** Enable LDAP and INSULTS</li>
 +
<li>Enable nscd:
 +
<pre>echo 'nscd_enable="YES"' >> /etc/rc.conf</pre></li>
 
<li>Create /usr/local/etc/ldap.conf with the following config:
 
<li>Create /usr/local/etc/ldap.conf with the following config:
 
<pre># LDAP Configuration
 
<pre># LDAP Configuration

Revision as of 10:22, 3 November 2008

This is the complete procedure for setting a host up to use LDAP for authentication on the example network.

  1. First, install the following ports:
    • security/pam_ldap
    • secruity/pam_mkhomedir
    • net/nss_ldap
    • security/sudo
      • Enable LDAP and INSULTS
  2. Enable nscd:
    echo 'nscd_enable="YES"' >> /etc/rc.conf
  3. Create /usr/local/etc/ldap.conf with the following config:
    # LDAP Configuration
    URI ldaps://ldap.example.com ldaps://ldap2.example.com
    bind_timelimit 1
    bind_policy soft
    base dc=example,dc=com
    ldap_version 3
    scope sub
    ssl start_tls
    ssl on
    tls_checkpeer no
    tls_ciphers TLSv1
    TLS_CACERT /usr/local/etc/ca.crt
    
    pam_filter              objectclass=posixAccount
    pam_check_host_attr     yes
    pam_login_attribute     uid
    pam_member_attribute    memberUid
    pam_password            exop
    
    #nss_connect_policy oneshot
    nss_base_group ou=group,dc=example,dc=com
    nss_base_netgroup ou=group,dc=example,dc=com
    nss_initgroups_ignoreusers root,ldap
    
    sudoers_base ou=SUDOers,dc=example,dc=com
  4. Run the following series of commands to properly link our configuration file for the various LDAP components:
    # rm /usr/local/etc/openldap/ldap.conf
    # ln -s /usr/local/etc/ldap.conf /usr/local/etc/openldap/ldap.conf
    # ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
  5. Edit /etc/nsswitch.conf with the following command:
    # sed -i '.pre_ldap' -e "s/ compat/ files ldap/g" nsswitch.conf
  6. Edit /etc/pam.d/system to read as follows:
    #
    # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
    #
    # System-wide defaults
    #
    
    # auth
    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
    auth            requisite       pam_opieaccess.so       no_warn allow_local
    #auth           sufficient      pam_krb5.so             no_warn try_first_pass
    #auth           sufficient      pam_ssh.so              no_warn try_first_pass
    auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
    auth            required        pam_unix.so             no_warn try_first_pass nullok
    
    # account
    #account        required        pam_krb5.so
    account         required        pam_login_access.so
    account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
    account         required        pam_unix.so
    
    # session
    #session        optional        pam_ssh.so
    session         required        /usr/local/lib/pam_mkhomedir.so
    session         required        pam_lastlog.so          no_fail
    
    # password
    #password       sufficient      pam_krb5.so             no_warn try_first_pass
    password        required        pam_unix.so             no_warn try_first_pass
  7. Edit /etc/pam.d/sshd to read as follows:
    #
    # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    #
    # PAM configuration for the "sshd" service
    #
    
    # auth
    auth            required        pam_nologin.so          no_warn
    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
    auth            requisite       pam_opieaccess.so       no_warn allow_local
    #auth           sufficient      pam_krb5.so             no_warn try_first_pass
    #auth           sufficient      pam_ssh.so              no_warn try_first_pass
    auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
    auth            required        pam_unix.so             no_warn try_first_pass
    
    # account
    #account        required        pam_krb5.so
    account         required        pam_login_access.so
    account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
    account         required        pam_unix.so
    
    # session
    #session        optional        pam_ssh.so
    session         required        /usr/local/lib/pam_mkhomedir.so
    session         required        pam_permit.so
    
    # password
    #password       sufficient      pam_krb5.so             no_warn try_first_pass
    password        required        pam_unix.so             no_warn try_first_pass
  8. Remove all non-system user accounts and groups. These will be pulled from LDAP.
  9. Obtain the example CA root certificate; place it in /usr/local/etc/:
    # fetch "ftp://repo.example.com/pub/example/ca.crt" -o /usr/local/etc/ca.crt

You can test the setup by trying to login to the server with your LDAP user account. Also, a simply finger <username>, where <username> is an LDAP account will verify whether the system is able to pull OK or not.