From Secure Computing Wiki
Revision as of 10:30, 23 April 2008 by Ecrist (Talk | contribs) (saving my work)

Jump to: navigation, search

To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.

First, we need to install the following ports:

  • security/pam_ldap
  • security/pam_mkhomedir
  • net/nss_ldap

Once the above ports are installed, we need to build our ldap.conf file. What's interesting is that Luke H over at Software, Ltd has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration. The end result is both pieces of software will use /usr/local/etc/ldap.conf. nss_ldap also follows this pattern.

Config Files


A good ldap.conf file to use is as follows:

# LDAP Configuration
uri ldap://
base dc=example,dc=com
ldap_version 3
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1
TLS_CACERT /usr/local/etc/ca.crt

nss_base_netgroup cn=group,dc=example,dc=com
nss_base_group ou=group,dc=example,dc=com

The config above has the following effect:

  1. use ldap server at
  2. use dc=example,dc=com for the search base
  3. connects with ldap version 3 only
  4. issues a start_tls command to encrypt the connection
  5. instructs pam_ldap to accept the certificate
  6. set tls_ciphers to TLS version 1
  7. uses the ca certificate found in /usr/local/etc/openldap/ca.crt to verify the server's certificate
  8. gets group names from cn=group,dc=example,dc=com (finger,pw, directory listings, etc)
  9. gets group names from ou=group,dc=example,dc=com


uri ldap://
base ou=people,dc=example,dc=com
ldap_version 3
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1

This config does the same things as above, specific to nss_ldap port.


## Define lookups for users and groups.
passwd:||       files ldap
group:| |       files ldap

## Optimize the nss_ldap searches for these databases.
#nss_base_passwd ou=staff,ou=people,dc=claimlynx,dc=com
#nss_base_group ou=staff,ou=people,dc=claimlynx,dc=com

group: compat
group_compat: nis
hosts: files dns
networks: files
shells: files

The part we're most concerned with is the first two non-comment lines. These tell the system to first look in files (/etc/master.passwd and /etc/group) for uid/gid and authentication, followed by ldap. The rest of the files is what was there by default.

PAM Configuration

The next task is to roll our changes into PAM so that it's using our LDAP installation for authentication. First, we're going to configure sshd:

Edit the /etc/pam.d/sshd file, and add the following lines in their respective places:

auth            sufficient      /usr/local/lib/              no_warn try_first_pass
account         required      /usr/local/lib/ ignore_unknown_user ignore_authinfo_unavail
session         required       /usr/local/lib/

At this point, (no need to restart SSHd or anything), you should be able to log in via ssh to the newly configured host. In addition, you should be able to finger and pw to glean information out of LDAP regarding user accounts:

 root@oliver:/etc/pam.d-> finger foobeans
Login: foobeans                         Name: Eric F Crist
Directory: /home/foobeans               Shell: /bin/csh
Office: x842, (411) 555-9000            Home Phone: (411) 555-1234
Last login Wed Apr 23 10:23 (CDT) on ttyp7 from
No Mail.
No Plan.
root@oliver:/etc/pam.d-> pw usershow foobeans -P
Login Name: foobeans          #400          Group: (invalid)         #400
 Full Name: Eric F Crist
      Home: /home/foobeans                  Class:
     Shell: /bin/csh                       Office: x842
Work Phone: (411) 555-9000             Home Phone: (411) 555-1234
Acc Expire: [None]                     Pwd Expire: [None]

When you log in for the first time, automatically creates the user's home directory. The last item to verify is that the home directory was created (/usr/home/<username>) and that it's owned by that user/group:

root@oliver:/etc/pam.d-> ls -lah /usr/home
drwxr-xr-x  2 foobeans  400      512B Apr 23 10:23 foobeans

What you'll notice above is that the foobeans user ID is correctly mapped in LDAP, but I've yet to build the group subtree with user group names. As such, GID 400 doesn't map to a group name at this time.