FreeBSD 10.2 – pam_ldap howto

– Il faut installer les packages:

# pkg install -y nss_ldap pam_ldap openldap-client p5-Mozilla-CA

– Faire la conf du client ldap

vi /usr/local/etc/nss_ldap.conf

BASE ou=People,dc=infranix,dc=eu
URI ldaps://ldap1
TLS_CACERTDIR /usr/local/lib/perl5/site_perl/Mozilla/CA/cacert.pem
TLS_REQCERT allow
SASL_NOCANON    on

– Créer des symlink pour simplier la configuration vers ldap.conf

# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf

– Modifier nsswitch pour qu’il s’appuye sur ldap pour passwd et group

[root@app001 ~]# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.2/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

– Modifier /etc/pam.d/ssh

root@app001 ~]# cat /etc/pam.d/sshd
#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth        sufficient  /usr/local/lib/pam_ldap.so    no_warn try_first_pass
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
account     required    /usr/local/lib/pam_ldap.so    no_warn ignore_authinfo_unavail ignore_unknown_user
account		required	pam_nologin.so
#account	required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session     required    /usr/local/lib/pam_mkhomedir.so
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass

– modifier /etc/pam.d/su pour mettre le bon groupe

[root@app001 ~]# cat /etc/pam.d/su
#
# $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#

# auth
auth		sufficient	pam_rootok.so		no_warn
auth		sufficient	pam_self.so		no_warn
auth		requisite	pam_group.so		no_warn group=wheel,users root_only fail_safe ruser
auth		include		system

# account
account		include		system

# session
session		required	pam_permit.so

– modifier /etc/pam.d/system

root@app001 /etc/pam.d]# cat system

# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth		sufficient	/usr/local/lib/pam_ldap.so   no_warn try_first_pass
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok

# account
#account	required	pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so   ignore_unknown_user ignore_authinfo_unavail
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	/usr/local/lib/pam_mkhomedir.so
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass

– modifier /etc/pam.d/passwd

[root@app001 /etc/pam.d]# cat passwd
#
# $FreeBSD: releng/10.2/etc/pam.d/passwd 113967 2003-04-24 12:22:42Z des $
#
# PAM configuration for the "passwd" service
#

# passwd(1) does not use the auth, account or session services.

# password
#password	requisite	pam_passwdqc.so		enforce=users
#password  required    pam_ldap.so
password	required	pam_unix.so		no_warn try_first_pass nullok

– OPTIONNEL : forcer le gidMember

vi /etc/group
users:*:100:

– pour tester

getent passwd