Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- From: "Brian A. Seklecki" <lavalamp@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 29 Sep 2007 19:59:42 -0400 (EDT)
There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . You need to set a variety of settings there. What do they look like?
Remember: pkg_info -L pam_ldap nss_ldap!
Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes and bangs with -current. ~BAS
On Fri, 28 Sep 2007, O. Hartmann wrote:
Thank you for responding.
So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success:
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
First, OS ist the most recent FreeBSD 7.0.
OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default
PAM_LDAP
NSS_LDAP
I renamed cached.conf to nscd.conf as suggested (for your information).
In /etc/nsswitch.conf I changed
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
I also changed /etc/pam.d/sshd to this:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Both configuration files for nss_ldap and pam_ldap respective got linked to /usr/localetc/openldap/ldap.conf, which looks like this:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=foo,dc=org
#URI ldapi:///
URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/
#SSL start_tls
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERT allow
#TLS_REQCERT demand
#TLS_CHECKPEER yes
My /etc/rc.conf.local file has the following OpenLDAP specific entry:
###########################################################
### OpenLDAP Server ###
###########################################################
slapd_enable="YES"
#slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"'
slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.210 ldaps://192.168.2.210"'
slapd_sockets="/var/run/openldap/ldapi"
My OpenLDAP config file has SSL-certificates disabled.
After the installation of nss_ldap the slapd server takes several decades of seconds to start. But it starts well and after it has initiated itself, I can do on the server a simple 'slapcat' and receive.
But I can't access the LDAP server. Doing an 'id testuser' results in 'id not found'.
On the console, I receive massively errors like this:
TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending RST and removing tcpcb
Well, I checked sockstat for a listening slapd and I found slapd listening on both loopback, local NIC adn on both ports 389 and 636.
So what is wrong ?
Regards,
a desperate Oliver
Brian A. Seklecki wrote:FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
(PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
interactive shell, SFTP, etc.) can be tied into LDAP either directly or
via PAM.
As for password change, I don't know if anyone has a passwd(1) binary
that properly changes the LDAP password attribute -- if there is and its
out there, it requires ACL insanity. Like Oracle, you can either
understand OpenLDAP ACLs, or you have real work to do >:}
Check the nss_pam.conf and nss_ldap.conf configs in local/etc/*
-- set to "debug 1" to get debugging info. Feel free to share
error messages.
~BAS
On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote:
Hello out there,
I have a problem with setting up an FreeBSD box as OpenLDAP server with several services, like SAMBA, NFS.
The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL certificate. SAMBA is also up and running - but it never connects to the OpenLDAP server due to an connection error, but this shouldn't be the subject here, I have more basic questions about what FreeBSD already has and what to install additionally.
I want customers to log in on the FBSD box, so they sould log in (authenticated via OpenLDAP), change their passwords and shells and those user specifica should be updated on the LDAP server.
I already installed pam_ldap-port but ran into trouble because FreeBSD's nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server (and not files).
Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, especially if SSL/TLS come into play and I would like to ask those herein administering those setups, especially within a hybrid NFS/SAMBA fileservicing environment, where to find up to date informationes/howto/tipps.
Most websites and HowTo's I found were Linux related or, if related to FreeBSD, outdated.
Sorry beeing so unspecific, but the problem is complex (to me) so I would better ask for those who are willing to help or give hints and tips.
Thanks in advance and for your patience,
Oliver
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- From: O. Hartmann
- Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- From: Brian A. Seklecki
- Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- From: O. Hartmann
- FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- Prev by Date: upgrading for cups-base 1.3.0
- Next by Date: Re: Deny access from localhost to internet.....
- Previous by thread: Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
- Next by thread: D-Link G122 C1 (USB WiFi)
- Index(es):
Relevant Pages
|
|
