subject:"LDAP user authentication\?"

Re: LDAP user authentication?

2008-03-05 Thread perikillo

Hi Jon.

Look i'm in your situation, searching for documents about this
authentication stuff, i have follow this threat, i just want to know
if u already have done this and what was your results.

Thanks!!!

On Sun, Feb 17, 2008 at 4:49 PM, Jonathan Chen [EMAIL PROTECTED] wrote:
On Sun, Feb 17, 2008 at 05:45:33PM -0500, Darek M. wrote:
Jon Theil Nielsen wrote:
I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is

http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
but that seems to be a bit confusing an not up-to-date. I guess it
_should_ be possible - and indeed very useful (especially combinde
with Samba PDC and an easily maintainlable mail server). So please, if
you have any experiences or knowledge of a useful description..!

Regards,
Jon Theil Nielsen

At the risk of a thread-jack...

how are home directories handled? Will 'user' have a home dir on the
local system? I suppose once LDAP is set up properly, you can then
create the home dir, then chown it 'user', with 'user' not being a local
user and not in passwd/master.passwd files. So when you chown/chgrp,
those commands go through pam/nss/ldap to retrieve the proper id and
name from the LDAP server?

There's security/pam_mkhomedir, which should do what you want.

Cheers.
--
Jonathan Chen [EMAIL PROTECTED]

We laugh in the face of danger, we drop icecubes down the vest of fear
- Edmond Blackadder III

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-03-05 Thread Jonathan Chen

On Wed, Mar 05, 2008 at 03:34:59PM -0800, perikillo wrote:
   Hi Jon.
 
   Look i'm in your situation, searching for documents about this
 authentication stuff, i have follow this threat, i just want to know
 if u already have done this and what was your results.

I've got LDAP auth set up, and it works fine for me; it's been in
place since December 2007.

Cheers.
-- 
Jonathan Chen [EMAIL PROTECTED]
--
 When all else fails, RTFM
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-17 Thread Darek M.


Jon Theil Nielsen wrote:

I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
but that seems to be a bit confusing an not up-to-date. I guess it
_should_ be possible - and indeed very useful (especially combinde
with Samba PDC and an easily maintainlable mail server). So please, if
you have any experiences or knowledge of a useful description..!

Regards,
Jon Theil Nielsen


At the risk of a thread-jack...

how are home directories handled?  Will 'user' have a home dir on the 
local system?  I suppose once LDAP is set up properly, you can then 
create the home dir, then chown it 'user', with 'user' not being a local 
user and not in passwd/master.passwd files.  So when you chown/chgrp, 
those commands go through pam/nss/ldap to retrieve the proper id and 
name from the LDAP server?


For anyone that runs such a system, is there a delay when logging in or 
'ls -l'ing an LDAP user's files, etc?  Or is it  unnoticeable if the 
network between them is resonably responsive?


- Darek

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-17 Thread Jonathan Chen

On Sun, Feb 17, 2008 at 05:45:33PM -0500, Darek M. wrote:
 Jon Theil Nielsen wrote:
 I have googled for a very long time, but I haven't found any useful
 howto on this issue. Well, there is
 http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
 but that seems to be a bit confusing an not up-to-date. I guess it
 _should_ be possible - and indeed very useful (especially combinde
 with Samba PDC and an easily maintainlable mail server). So please, if
 you have any experiences or knowledge of a useful description..!
 
 Regards,
 Jon Theil Nielsen
 
 At the risk of a thread-jack...
 
 how are home directories handled?  Will 'user' have a home dir on the 
 local system?  I suppose once LDAP is set up properly, you can then 
 create the home dir, then chown it 'user', with 'user' not being a local 
 user and not in passwd/master.passwd files.  So when you chown/chgrp, 
 those commands go through pam/nss/ldap to retrieve the proper id and 
 name from the LDAP server?

There's security/pam_mkhomedir, which should do what you want.

Cheers.
-- 
Jonathan Chen [EMAIL PROTECTED]

We laugh in the face of danger, we drop icecubes down the vest of fear
 - Edmond Blackadder III
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-15 Thread Ganael LAPLANCHE

On Fri, 15 Feb 2008 09:45:23 +0700 (ICT), Olivier Nicole wrote

Hi Olivier,

 Though I am looking one step ahead, how to allow a user to
 authenticate to this machine and not that machine, using the same ldap
 directory.

You can override attributes in you /usr/local/etc/nss_ldap.conf.

Something like this :

nss_override_attribute_value homeDirectory /dev/null
nss_override_attribute_value loginShell /usr/bin/false
nss_override_attribute_value userPassword x

should prevent users from login on your machine.

Best regards,

Ganaël LAPLANCHE
[EMAIL PROTECTED]
http://www.martymac.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-15 Thread Norman Maurer


Am Freitag, den 15.02.2008, 09:45 +0700 schrieb Olivier Nicole:
 Hi,
 
   I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is

  http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
but that seems to be a bit confusing an not up-to-date. I guess it
_should_ be possible - and indeed very useful (especially combinde
with Samba PDC and an easily maintainlable mail server). So please, if
 
 I read through the link you gave. My first impression is:
 
 - pam-ldap is used for authentication: allow the user to login to the
   machine
 
 - nss-ldap is used by the system when it needs to resolve things like
   gid-group name, user home directory, etc.
 
 I will give it a try soon.
 
 Though I am looking one step ahead, how to allow a user to
 authenticate to this machine and not that machine, using the same ldap
 directory.
 
 Bests,
 
 Olivier
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

You can use the pam_filter option for this..

bye
Norman 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-14 Thread Jon Theil Nielsen

I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is

Regards,
Jon Theil Nielsen

2008/2/14, Dave [EMAIL PROTECTED]:
Hi,
I am far from an expert, in fact i'm still learning. I don't know a lot
of the jargon, that is i still get the more intense terms mixed up, but i've
been banging my head against ldap for about a month now and am starting to
show results. Right now i'm using ldap in jails on freebsd 6.2 as i don't
have all the bugs worked out to go production. I've got a directory that is
a user addressbook as well as handles authentication of users, both for the
jailed ldap server, but for two other jailed environments, one the ldap
client, the other just a test machine. I've also authenticated a linux box
against this server that works fine with a few tweaks. Right now i've got a
jail specifically for testmail setup i'm going to try to hook in email
services, pop/imap, smtp, etc. in to ldap.
If you have im abilities i can talk more there, but basically it's
definitely not trivial to get going, in my opinion others might differ.
Dave.

I have some experience with FreeBSD but not with running in jails. I
migth be a solution, but I don't know. What I would really like was a
thorough desription of setting LDAP authentication up for the wholw
system. But I might read up on jails. Thanks anyway.

Regards,
Jon Theil Nielsen
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-14 Thread Jon Theil Nielsen

2008/2/14, Dave [EMAIL PROTECTED]:
Hi,
Actually i'm only using jails, because i haven't got all the bugs worked
out yet and when i do i'm going to just copy the files over and go
production. Other than that these files will work for a freebsd system. In
brief you'll need openldap server and client ports, i'm using 2.4, pam_ldap
port and nss_ldap port. Go configure all that and that'll do it, take it in
stages, slapd first, the ldap client next, then either pam_ldap or nss_ldap,
one thing you'll definitely want is tls encryption, can't help with that as
i'm still trying to get that working.
If you need any help let me know, i'll do what i can.

Dave.

- Original Message -
From: Jon Theil Nielsen [EMAIL PROTECTED]

To: Dave [EMAIL PROTECTED]
Cc: freebsd-questions@freebsd.org
Sent: Thursday, February 14, 2008 7:20 AM
Subject: Re: LDAP user authentication?

I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is

Regards,
Jon Theil Nielsen

2008/2/14, Dave [EMAIL PROTECTED]:
Hi,
I am far from an expert, in fact i'm still learning. I don't know a
lot
of the jargon, that is i still get the more intense terms mixed up, but
i've
been banging my head against ldap for about a month now and am starting
to
show results. Right now i'm using ldap in jails on freebsd 6.2 as i
don't
have all the bugs worked out to go production. I've got a directory that
is
a user addressbook as well as handles authentication of users, both for
the
jailed ldap server, but for two other jailed environments, one the ldap
client, the other just a test machine. I've also authenticated a linux
box
against this server that works fine with a few tweaks. Right now i've
got a
jail specifically for testmail setup i'm going to try to hook in email
services, pop/imap, smtp, etc. in to ldap.
If you have im abilities i can talk more there, but basically it's
definitely not trivial to get going, in my opinion others might differ.
Dave.

Thanks a lot. That might be interesting. TLS might not be that vital,
since I'm mostly thinking of a solution on my own servers and
primarily only on the central one. When I was on Linux, PAM was almost
a most, but I think it is different on FreeBSD, so I guess I would
prefer the solution with nss_ldap.
Your are right, nothing severe will happen if I try to get the LDAP
server and client up and running in the first place. As far as I
remember, the most critical issue was how to initialize the database
and how to make a reasonable structure suited for both user
authentication, Samba and some mail server. Right now I have to
parallel structures, one for Samba/system users and one for (virtual)
mail users.
I still wonder why a universal implementation of LDAP authentication
on FreeBSD is not described anywhere. But if I find the time and
energy, I migth try to experiment on my own and might also return to
you if a have more specific issues.

Regards,
Jon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-14 Thread Jon Theil Nielsen

2008/2/14, Dave [EMAIL PROTECTED]:
 Hi,
 Actually i'm only using jails, because i haven't got all the bugs worked
  out yet and when i do i'm going to just copy the files over and go
  production. Other than that these files will work for a freebsd system. In
  brief you'll need openldap server and client ports, i'm using 2.4, pam_ldap
  port and nss_ldap port. Go configure all that and that'll do it, take it in
  stages, slapd first, the ldap client next, then either pam_ldap or nss_ldap,
  one thing you'll definitely want is tls encryption, can't help with that as
  i'm still trying to get that working.
 If you need any help let me know, i'll do what i can.

 Dave.
Hi again,
I don't know what happened, but now I found some seemingly useful
descriptions of LDAP authentication on FreeBSD. The one that appeared
must relevant is this one:
http://www.bsdforums.org/forums/archive/index.php/t-49221.html
Maybe it could be useful for you too. Obviously, I haven't had the
time to work trough the description yet, but I will give it a try.

Best regards,
Jon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-14 Thread Jonathan Chen

On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
but that seems to be a bit confusing an not up-to-date. I guess it
_should_ be possible - and indeed very useful (especially combinde
with Samba PDC and an easily maintainlable mail server). So please, if
you have any experiences or knowledge of a useful description..!

The first thing for you to do is to set up your LDAP tree, with your
users using objectClass=posixAccount, and your groups with
objectClass=posixGroup.

Then make the following changes to /etc/nsswitch.conf:
group: files ldap
passwd: files ldap

You then have to install the ports net/nss_ldap and security/pam_ldap.
The strategy you should adopt is to first get nss_ldap working before
looking at pam_ldap.

To configure nss_ldap:
cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf

When editing the nss_ldap.conf, the entries of particular interest
are bind_timelimit and bind_policy, which will need to be changed
so that the system will still allow you login locally even if the LDAP
server is not running. I've got mine set to:
bind_timelimit 3
bind_policy soft

Make sure your nss_base_passwd and nss_base_group are set correctly.
I foudn that I didn't need have to set rootbinddn or provide a ldap.secret
file, YMMV.

You can then test with getent group or getent passwd. However,
getent(1) is only available with FreeBSD-7 onwards. If you aren't
using FreeBSD-7, the simplest way to test is to create a file whose
user and group ownership refers to the LDAP entries, and then see if
a simple ls -l displays correctly.

Once you've verified that this is working, you can then configure
pam_ldap:
cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf

Again, set the bind_timelimit and bind_policy to ensure you don't hang
your system if the LDAP server isn't up.

To configure PAM, you have to add a reference to pam_ldap in the
appropriate PAM files in /etc/pam.d. Here's my snippet in
/etc/pam.d/login to allow a console login:

# auth
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth include system
...

The pam_ldap.so reference will need to be added to other pamd.d files
as required, eg: imap, gdm, kde, xdm.

Hope this helps.
--
Jonathan Chen [EMAIL PROTECTED]
--
Opportunities are seldom labeled
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: LDAP user authentication?

2008-02-14 Thread Jon Theil Nielsen

2008/2/14, Jonathan Chen [EMAIL PROTECTED]:
On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
I have googled for a very long time, but I haven't found any useful
howto on this issue. Well, there is