FreeBSD 5.x LDAP

A reworked libnss resolver library which allowd for synamic loading of modules has been committed to -CURRENT (now the RELENG5 branch) a couple of days (April 2003) back which (finally!) allows for LDAP (using nss_ldap from ports) and Winbind lookups.

To get going, CVSup your src and ports to the latest and rebuild world.

Contents 1 Install net/nss_ldap 2 Update /etc/ldap.conf 3 Update /etc/nsswitch.conf 4 Install security/pam_ldap 5 Update /etc/pam.d/login with pam_ldap entry 6 Statically Linked /bin and /sbin

Install net/nss_ldap

[godzilla] ~> pkg_info -x nss_ldap
Information for nss_ldap-1.204_1:

Comment:
RFC 2307 NSS module

Description:
nss_ldap is a NSS module which provides an LDAP backend for C library
functions such as getpwnam(3), getgrnam(3), and gethostbyname(3).  It
is compliant with RFC 2307, ``An Approach for Using LDAP as a Network
Information Service''.

Currently this is an experimental port, with support only for the `passwd' and `group' databases.

http://www.padl.com/OSS/nss_ldap.html

Update /etc/ldap.conf

Copy /usr/local/etc/ldap.conf.dist to /etc/ldap.conf and update it.

Update /etc/nsswitch.conf

[godzilla] ~> cat /etc/nsswitch.conf
hosts: files dns
passwd: files ldap
group:  files ldap

Install security/pam_ldap

[godzilla] ~> pkg_info -x pam_ldap
Information for pam_ldap-1.6.1:

Comment:
A pam module for authenticating with LDAP

Description:
This is a PAM module for authenticating with LDAP.

http://www.padl.com/OSS/pam_ldap.html

Update /etc/pam.d/login with pam_ldap entry

#
# $FreeBSD: src/etc/pam.d/login,v 1.14 2003/03/08 09:50:11 markm Exp $
#
# PAM configuration for the "login" service
#

# auth
authrequiredpam_nologin.sono_warn
authsufficientpam_self.sono_warn
authsufficientpam_opie.sono_warn no_fake_prompts
authrequisitepam_opieaccess.sono_warn allow_local
#authsufficientpam_krb5.sono_warn try_first_pass
#authsufficientpam_ssh.sono_warn try_first_pass
authsufficient  pam_ldap.sotry_first_pass
authrequiredpam_unix.sono_warn try_first_pass nullok

# account
#account requiredpam_krb5.so
accountrequiredpam_login_access.so
accountrequiredpam_securetty.so
accountrequiredpam_unix.so

# session
#session requiredpam_krb5.so
#session optionalpam_ssh.so
sessionrequiredpam_lastlog.sono_fail

# password
#passwordsufficientpam_krb5.sono_warn try_first_pass
passwordrequiredpam_unix.sono_warn try_first_pass

Statically Linked /bin and /sbin

NSS uses dynamic linking while /bin and /sbin are statically linked. IOW, /bin/ls will not resolve UIDs/GIDs for users in the LDAP database. There is currently (May 2003) an effort to make /bin and /sbin dynamically linked, till then it is possible to compile a dynamically linked /bin and /sbin by doing the following:

root# cd /usr/src
root# vim bin/Makefile.inc

Comment the NOSHARED line and recompile the apps. A next buildworld will also do.

• Using a shared /bin and /sbin is not currently recommended. You will end up in a unusable system if the shared libraries get hosed. People are working on getting both a resuce set of /bin and /sbin while still having a dynamically linked set.

Search -CURRENT archives for more details.