Difference between revisions of "OpenLDAP/Authentication"

From Secure Computing Wiki
Jump to: navigation, search
m (New page: To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports. First, we need to install the following po...)
 
m
Line 5: Line 5:
 
* security/pam_mkhomedir
 
* security/pam_mkhomedir
 
* net/nss_ldap
 
* net/nss_ldap
 +
 +
Once the above ports are installed, we need to build our ldap.conf file.  What's interesting is that Luke H over at [http://www.padl.com|PADL Software, Ltd] has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration.  The end result is both pieces of software will use /usr/local/etc/ldap.conf.  nss_ldap also follows this pattern.
 +
 +
A good ldap.conf file to use is as follows:
 +
<pre>host ldap.claimlynx.com
 +
base dc=claimlynx,dc=com
 +
ldap_version 3
 +
#ssl start_tls
 +
#TLS_CACERT /usr/local/etc/openldap/ca.crt
 +
 +
nss_base_netgroup cn=group,dc=claimlynx,dc=com?one
 +
nss_base_group ou=group,dc=claimlynx,dc=com
 +
 +
pam_check_host_attr yes</pre>

Revision as of 10:36, 21 April 2008

To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.

First, we need to install the following ports:

  • security/pam_ldap
  • security/pam_mkhomedir
  • net/nss_ldap

Once the above ports are installed, we need to build our ldap.conf file. What's interesting is that Luke H over at Software, Ltd has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration. The end result is both pieces of software will use /usr/local/etc/ldap.conf. nss_ldap also follows this pattern.

A good ldap.conf file to use is as follows:

host ldap.claimlynx.com
base dc=claimlynx,dc=com
ldap_version 3
#ssl start_tls
#TLS_CACERT /usr/local/etc/openldap/ca.crt

nss_base_netgroup cn=group,dc=claimlynx,dc=com?one
nss_base_group ou=group,dc=claimlynx,dc=com

pam_check_host_attr yes