FreeBSD -CURRENT + LDAP HOWTO ============================= Shanker Balan http://shankerbalan.com/ Changelog: Fri May 16 10:49:27 IST 2003 - Note about statically linked /bin and /sbin Tue Apr 29 17:21:26 IST 2003 - Initial commit A reworked libnss resolver library which allowd for synamic loading of modules has been committed to -CURRENT a couple of days (April 2003) back which (finally!) allows for LDAP (using nss_ldap from ports) and Winbind lookups. To get going, CVSup your src and ports to the latest and rebuild world. - Install net/nss_ldap [godzilla] ~> pkg_info -x nss_ldap Information for nss_ldap-1.204_1: Comment: RFC 2307 NSS module Description: nss_ldap is a NSS module which provides an LDAP backend for C library functions such as getpwnam(3), getgrnam(3), and gethostbyname(3). It is compliant with RFC 2307, ``An Approach for Using LDAP as a Network Information Service''. Currently this is an experimental port, with support only for the `passwd' and `group' databases. WWW: http://www.padl.com/OSS/nss_ldap.html - Update /etc/ldap.conf Copy /usr/local/etc/ldap.conf.dist to /etc/ldap.conf and update it. - Update /etc/nsswitch.conf [godzilla] ~> cat /etc/nsswitch.conf hosts: files dns passwd: files ldap group: files ldap - Install security/pam_ldap [godzilla] ~> pkg_info -x pam_ldap Information for pam_ldap-1.6.1: Comment: A pam module for authenticating with LDAP Description: This is a PAM module for authenticating with LDAP. WWW: http://www.padl.com/OSS/pam_ldap.html - Update /etc/pam.d/login with pam_ldap entry # # $FreeBSD: src/etc/pam.d/login,v 1.14 2003/03/08 09:50:11 markm Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_securetty.so account required pam_unix.so # session #session required pam_krb5.so #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Statically Linked /bin and /sbin -------------------------------- NSS uses dynamic linking while /bin and /sbin are statically linked. IOW, /bin/ls will not resolve UIDs/GIDs for users in the LDAP database. There is currently (May 2003) an effort to make /bin and /sbin dynamically linked, till then it is possible to compile a dynamically linked /bin and /sbin by doing the following: root# cd /usr/src root# vim bin/Makefile.inc Comment the NOSHARED line and recompile the apps. A next buildworld will also do. Note: Using a shared /bin and /sbin is not currently recommended. You will end up in a unusable system if the shared libraries get hosed. People are working on getting both a resuce set of /bin and /sbin while still having a dynamically linked set. Search -CURRENT archives for more details.