Quick and dirty FreeBSD 5.x and nss_ldap mini-HOWTO 20030807 : version 0.01.1 Clement Laforet I. Introduction: Since 5.1, FreeBSD support NSS module. For the moment, only nss_ldap module is in the ports tree, MySQL one is still pending (). Why using LDAP as NSS backend ? I have nearly 7 PC at home, and some "external user", with different access (inn, apache, etc.) so I need a flexible authentication/indentification backend: LDAP is a solution. I wrote this quick and dirty mini howto after a small thread on freebsd-questions. II. Getting started 2.1 Getting FreeBSD 5.x Install or upgrade your system to, at least, FreeBSD 5.1. I won't cover this, the Handbook already contains all informations you need accomplish this task. 2.2 Installing software What do we need ? * An OpenLDAP server to store all users. * On the client side : LDAP libraries, nss_ldap and pam_ldap. * Optionnaly a web frontend and others schemas (i.e.: samba) I recommand you to use OpenLDAP 2.1. On the server: [root@test ~]# cd /usr/ports/net/openldap21/ [root@test openldap21]# make install clean On the client(s): [root@test ~]# cd /usr/ports/net/openldap21/ [root@test openldap21]# make CLIENT_ONLY=yes install clean [root@test ~]# cd /usr/ports/net/nss_ldap/ [root@test openldap21]# make install clean [root@test ~]# cd /usr/ports/security/pam_ldap/ [root@test openldap21]# make install clean III. Quick LDAP configuration 3.1 Setting up the server This setup is NOT very secure, but it's a good way to get familiar with OpenLDAP. You'll need to add ACL later. Please refer to OpenLDAP documentation for this. First of all you have to generate a new password. For this, use slappasswd (8). [root@test ~]# slappasswd -s LamePassword {SSHA}VV8wdb4sGLy7Lroi4gxXaj33jCm9tGtP Here a sample slapd.conf # slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args database bdb suffix "dc=test,dc=org" rootdn "cn=Manager,dc=test,dc=org" rootpw {SSHA}VV8wdb4sGLy7Lroi4gxXaj33jCm9tGtP directory /var/db/openldap-data index objectClass eq index uid pres,eq,sub Rename OpenLDAP rc.d script. [root@test ~]# mv /usr/local/etc/rc.d/slapd.sh.sample /usr/local/etc/rc.d/slapd.sh Start slapd. [root@test ~]# /usr/local/etc/rc.d/slapd.sh start [root@test ~]# chmod 440 /usr/local/etc/openldap/slapd.conf [root@test ~]# chown ldap:ldap /usr/local/etc/openldap/slapd.conf [root@resr ~]# chown -R ldap:ldap /var/db/openldap* 3.2 Populate database We need LDIF format for population the database, using slapadd. Sample LDIF intital entry file: test.ldif dn: dc=test,dc=org dc: test objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: test.org structuralObjectClass: domain dn:ou=groups, dc=test, dc=org objectclass: top objectclass: organizationalUnit ou: groups structuralObjectClass: organizationalUnit dn:ou=people, dc=test, dc=org objectclass: top objectclass: organizationalUnit ou: people structuralObjectClass: organizationalUnit dn: cn=StupidTest User, ou=people, dc=test, dc=org cn: StupidTest User sn: Dummy objectclass: top objectclass: person objectclass: posixAccount objectclass: shadowAccount uid:testuser userpassword:{SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1 uidnumber:1000 gidnumber:1000 gecos:TestUser loginShell:/bin/csh homeDirectory: /home/test dn: cn=test, ou=groups, dc=test, dc=org objectclass: top objectclass: posixGroup cn: test gidnumber: 1000 memberuid: test Submit initial LDIF. [root@test ~]# slapadd -l /root/ldif And it should be OK ! :-) You have to use the template below to add new users : dn: cn=StupidTest User2, ou=people, dc=test, dc=org cn: StupidTest User2 sn: Dummy objectclass: top objectclass: person objectclass: posixAccount objectclass: shadowAccount uid:testuser2 userpassword:{SSHA}wU0T6ixZb9sU2+JTK8Au8sq7noNfMkbv uidnumber:1001 gidnumber:1001 gecos:TestUser loginShell:/bin/csh homeDirectory: /home/test2 dn: cn=test2, ou=groups, dc=test, dc=org objectclass: top objectclass: posixGroup cn: test2 gidnumber: 1001 memberuid: test2 memberuid: test IV nss_ldap/pam_ldad/nsswitch.conf configuration. ${PREFIX}/etc/ldap.conf is used by pam_ldap and ${PREFIX}/etc/nss_ldap.conf by nss_ldap. 4.1 nss_ldap my ${PREFIX}/etc/nss_ldap.conf//${PREFIX}/etc/ldap.conf host 127.0.0.1 base dc=test,dc=org uri ldap://127.0.0.1:389/ binddn cn=manager,dc=test,dc=org bindpw LamePassword port 389 nss_base_passwd ou=People,dc=test,dc=org?one nss_base_group ou=Groups,dc=test,dc=org?one pam_password SSHA [root@test ~]# ln -s /etc/ldap.conf /usr/local/etc/ldap.conf 4.2 pam_ldap In your /etc/pam.d directory, you have your pam services entries. You have to add this line before "required" auth section. auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass sample : # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth #auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass 4.3 nsswitch.conf edit your config file like this: [root@test ~]# cat /etc/nsswitch.conf passwd: files ldap group: files ldap Maybe on startup, LDAP will take some time to load, but don't worry, it's just the id lookup (slapd listens on his port, and lookup for user ldap lookup, but the server will never answer since it's not working at this time) 4.4 testing [root@test ~]# id testuser uid=1000(testuser) gid=1000(test) groups=1000(test) [root@test ~]# id testuser2 uid=1001(testuser2) gid=1001(test2) groups=1001(test2) [root@test ~]# finger testuser Login: testuser Name: TestUser Directory: /home/test Shell: /bin/csh On since Thu Aug 7 15:24 (CEST) on ttyp2, idle 0:11, from chuck No Mail. No Plan. [root@test ~]# ssh testuser@localhost The authenticity of host 'localhost (::1)' can't be established. DSA key fingerprint is 24:a9:56:81:80:21:33:01:7f:e3:64:30:95:52:16:3d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (DSA) to the list of known hosts. Password: Last login: Thu Aug 7 15:24:10 2003 from chuck.cultdeads Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.1-CURRENT (TEST) #0: Thu Jul 31 03:00:20 CEST 2003 Welcome to FreeBSD! Before seeking technical support, please use the following resources: o Security advisories and updated errata information for all releases are at http://www.FreeBSD.org/releases/ - always consult the ERRATA section for your release first as it's updated frequently. o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and, along with the mailing lists, can be searched by going to http://www.FreeBSD.org/search/. If the doc distribution has been installed, they're also available formatted in /usr/share/doc. If you still have a question or problem, please take the output of `uname -a', along with any relevant error messages, and email it as a question to the questions@FreeBSD.org mailing list. If you are unfamiliar with FreeBSD's directory layout, please refer to the hier(7) manual page. If you are not familiar with manual pages, type `man man'. You may also use sysinstall(8) to re-enter the installation and configuration utility. Edit /etc/motd to change this login announcement. %id uid=1000(testuser) gid=1000(test) groups=1000(test) TODO: - Changing password section - Web front end section - samba + LDAP section - secured version of this document