OpenLDAP/Authentication

From Secure Computing Wiki
Revision as of 09:11, 23 April 2008 by Ecrist (Talk | contribs) (remove claimlynx references)

Jump to: navigation, search

To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.

First, we need to install the following ports:

  • security/pam_ldap
  • security/pam_mkhomedir
  • net/nss_ldap

Once the above ports are installed, we need to build our ldap.conf file. What's interesting is that Luke H over at Software, Ltd has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration. The end result is both pieces of software will use /usr/local/etc/ldap.conf. nss_ldap also follows this pattern.

Config Files

/usr/local/etc/ldap.conf

A good ldap.conf file to use is as follows:

# LDAP Configuration
uri ldap://ldap.example.com
base dc=example,dc=com
ldap_version 3
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1
TLS_CACERT /usr/local/etc/ca.crt

nss_base_netgroup cn=group,dc=example,dc=com
nss_base_group ou=group,dc=example,dc=com

pam_check_host_attr yes

The config above has the following effect:

  1. use ldap server at ldap.example.com
  2. use dc=example,dc=com for the search base
  3. connects with ldap version 3 only
  4. issues a start_tls command to encrypt the connection
  5. instructs pam_ldap to accept the certificate
  6. set tls_ciphers to TLS version 1
  7. uses the ca certificate found in /usr/local/etc/openldap/ca.crt to verify the server's certificate
  8. gets group names from cn=group,dc=example,dc=com (finger,pw, directory listings, etc)
  9. gets group names from ou=group,dc=example,dc=com
  10. requires each user who logs in has a host entry for access to login to this host (more on this later)

/usr/local/etc/nss_ldap.conf

uri ldap://ldap.example.com
base ou=people,dc=example,dc=com
ldap_version 3
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1

This config does the same things as above, specific to nss_ldap port.