To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.
First, we need to install the following ports:
Once the above ports are installed, we need to build our ldap.conf file. What's interesting is that Luke H over at Software, Ltd has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration. The end result is both pieces of software will use /usr/local/etc/ldap.conf. nss_ldap also follows this pattern.
A good ldap.conf file to use is as follows:
# LDAP Configuration uri ldap://ldap.example.com base dc=example,dc=com ldap_version 3 ssl start_tls tls_checkpeer no tls_ciphers TLSv1 TLS_CACERT /usr/local/etc/ca.crt nss_base_netgroup cn=group,dc=claimlynx,dc=com nss_base_group ou=group,dc=claimlynx,dc=com pam_check_host_attr yes
The config above has the following effect:
- use ldap server at ldap.example.com
- use dc=example,dc=com for the search base
- connects with ldap version 3 only
- issues a start_tls command to encrypt the connection
- instructs pam_ldap to accept the certificate
- set tls_ciphers to TLS version 1
- uses the ca certificate found in /usr/local/etc/openldap/ca.crt to verify the server's certificate
- gets group names from cn=group,dc=example,dc=com (finger,pw, directory listings, etc)
- gets group names from ou=group,dc=example,dc=com
- requires each user who logs in has a host entry for access to login to this host (more on this later)