Re: LDAP user authentication?
Hi Jon. Look i'm in your situation, searching for documents about this authentication stuff, i have follow this threat, i just want to know if u already have done this and what was your results. Thanks!!! On Sun, Feb 17, 2008 at 4:49 PM, Jonathan Chen [EMAIL PROTECTED] wrote: On Sun, Feb 17, 2008 at 05:45:33PM -0500, Darek M. wrote: Jon Theil Nielsen wrote: I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen At the risk of a thread-jack... how are home directories handled? Will 'user' have a home dir on the local system? I suppose once LDAP is set up properly, you can then create the home dir, then chown it 'user', with 'user' not being a local user and not in passwd/master.passwd files. So when you chown/chgrp, those commands go through pam/nss/ldap to retrieve the proper id and name from the LDAP server? There's security/pam_mkhomedir, which should do what you want. Cheers. -- Jonathan Chen [EMAIL PROTECTED] We laugh in the face of danger, we drop icecubes down the vest of fear - Edmond Blackadder III ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
On Wed, Mar 05, 2008 at 03:34:59PM -0800, perikillo wrote: Hi Jon. Look i'm in your situation, searching for documents about this authentication stuff, i have follow this threat, i just want to know if u already have done this and what was your results. I've got LDAP auth set up, and it works fine for me; it's been in place since December 2007. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- When all else fails, RTFM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
Jon Theil Nielsen wrote: I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen At the risk of a thread-jack... how are home directories handled? Will 'user' have a home dir on the local system? I suppose once LDAP is set up properly, you can then create the home dir, then chown it 'user', with 'user' not being a local user and not in passwd/master.passwd files. So when you chown/chgrp, those commands go through pam/nss/ldap to retrieve the proper id and name from the LDAP server? For anyone that runs such a system, is there a delay when logging in or 'ls -l'ing an LDAP user's files, etc? Or is it unnoticeable if the network between them is resonably responsive? - Darek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
On Sun, Feb 17, 2008 at 05:45:33PM -0500, Darek M. wrote: Jon Theil Nielsen wrote: I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen At the risk of a thread-jack... how are home directories handled? Will 'user' have a home dir on the local system? I suppose once LDAP is set up properly, you can then create the home dir, then chown it 'user', with 'user' not being a local user and not in passwd/master.passwd files. So when you chown/chgrp, those commands go through pam/nss/ldap to retrieve the proper id and name from the LDAP server? There's security/pam_mkhomedir, which should do what you want. Cheers. -- Jonathan Chen [EMAIL PROTECTED] We laugh in the face of danger, we drop icecubes down the vest of fear - Edmond Blackadder III ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
On Fri, 15 Feb 2008 09:45:23 +0700 (ICT), Olivier Nicole wrote Hi Olivier, Though I am looking one step ahead, how to allow a user to authenticate to this machine and not that machine, using the same ldap directory. You can override attributes in you /usr/local/etc/nss_ldap.conf. Something like this : nss_override_attribute_value homeDirectory /dev/null nss_override_attribute_value loginShell /usr/bin/false nss_override_attribute_value userPassword x should prevent users from login on your machine. Best regards, Ganaƫl LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
Am Freitag, den 15.02.2008, 09:45 +0700 schrieb Olivier Nicole: Hi, I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if I read through the link you gave. My first impression is: - pam-ldap is used for authentication: allow the user to login to the machine - nss-ldap is used by the system when it needs to resolve things like gid-group name, user home directory, etc. I will give it a try soon. Though I am looking one step ahead, how to allow a user to authenticate to this machine and not that machine, using the same ldap directory. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You can use the pam_filter option for this.. bye Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen 2008/2/14, Dave [EMAIL PROTECTED]: Hi, I am far from an expert, in fact i'm still learning. I don't know a lot of the jargon, that is i still get the more intense terms mixed up, but i've been banging my head against ldap for about a month now and am starting to show results. Right now i'm using ldap in jails on freebsd 6.2 as i don't have all the bugs worked out to go production. I've got a directory that is a user addressbook as well as handles authentication of users, both for the jailed ldap server, but for two other jailed environments, one the ldap client, the other just a test machine. I've also authenticated a linux box against this server that works fine with a few tweaks. Right now i've got a jail specifically for testmail setup i'm going to try to hook in email services, pop/imap, smtp, etc. in to ldap. If you have im abilities i can talk more there, but basically it's definitely not trivial to get going, in my opinion others might differ. Dave. I have some experience with FreeBSD but not with running in jails. I migth be a solution, but I don't know. What I would really like was a thorough desription of setting LDAP authentication up for the wholw system. But I might read up on jails. Thanks anyway. Regards, Jon Theil Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
2008/2/14, Dave [EMAIL PROTECTED]: Hi, Actually i'm only using jails, because i haven't got all the bugs worked out yet and when i do i'm going to just copy the files over and go production. Other than that these files will work for a freebsd system. In brief you'll need openldap server and client ports, i'm using 2.4, pam_ldap port and nss_ldap port. Go configure all that and that'll do it, take it in stages, slapd first, the ldap client next, then either pam_ldap or nss_ldap, one thing you'll definitely want is tls encryption, can't help with that as i'm still trying to get that working. If you need any help let me know, i'll do what i can. Dave. - Original Message - From: Jon Theil Nielsen [EMAIL PROTECTED] To: Dave [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Thursday, February 14, 2008 7:20 AM Subject: Re: LDAP user authentication? I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen 2008/2/14, Dave [EMAIL PROTECTED]: Hi, I am far from an expert, in fact i'm still learning. I don't know a lot of the jargon, that is i still get the more intense terms mixed up, but i've been banging my head against ldap for about a month now and am starting to show results. Right now i'm using ldap in jails on freebsd 6.2 as i don't have all the bugs worked out to go production. I've got a directory that is a user addressbook as well as handles authentication of users, both for the jailed ldap server, but for two other jailed environments, one the ldap client, the other just a test machine. I've also authenticated a linux box against this server that works fine with a few tweaks. Right now i've got a jail specifically for testmail setup i'm going to try to hook in email services, pop/imap, smtp, etc. in to ldap. If you have im abilities i can talk more there, but basically it's definitely not trivial to get going, in my opinion others might differ. Dave. Thanks a lot. That might be interesting. TLS might not be that vital, since I'm mostly thinking of a solution on my own servers and primarily only on the central one. When I was on Linux, PAM was almost a most, but I think it is different on FreeBSD, so I guess I would prefer the solution with nss_ldap. Your are right, nothing severe will happen if I try to get the LDAP server and client up and running in the first place. As far as I remember, the most critical issue was how to initialize the database and how to make a reasonable structure suited for both user authentication, Samba and some mail server. Right now I have to parallel structures, one for Samba/system users and one for (virtual) mail users. I still wonder why a universal implementation of LDAP authentication on FreeBSD is not described anywhere. But if I find the time and energy, I migth try to experiment on my own and might also return to you if a have more specific issues. Regards, Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
2008/2/14, Dave [EMAIL PROTECTED]: Hi, Actually i'm only using jails, because i haven't got all the bugs worked out yet and when i do i'm going to just copy the files over and go production. Other than that these files will work for a freebsd system. In brief you'll need openldap server and client ports, i'm using 2.4, pam_ldap port and nss_ldap port. Go configure all that and that'll do it, take it in stages, slapd first, the ldap client next, then either pam_ldap or nss_ldap, one thing you'll definitely want is tls encryption, can't help with that as i'm still trying to get that working. If you need any help let me know, i'll do what i can. Dave. Hi again, I don't know what happened, but now I found some seemingly useful descriptions of LDAP authentication on FreeBSD. The one that appeared must relevant is this one: http://www.bsdforums.org/forums/archive/index.php/t-49221.html Maybe it could be useful for you too. Obviously, I haven't had the time to work trough the description yet, but I will give it a try. Best regards, Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote: I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! The first thing for you to do is to set up your LDAP tree, with your users using objectClass=posixAccount, and your groups with objectClass=posixGroup. Then make the following changes to /etc/nsswitch.conf: group: files ldap passwd: files ldap You then have to install the ports net/nss_ldap and security/pam_ldap. The strategy you should adopt is to first get nss_ldap working before looking at pam_ldap. To configure nss_ldap: cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf When editing the nss_ldap.conf, the entries of particular interest are bind_timelimit and bind_policy, which will need to be changed so that the system will still allow you login locally even if the LDAP server is not running. I've got mine set to: bind_timelimit 3 bind_policy soft Make sure your nss_base_passwd and nss_base_group are set correctly. I foudn that I didn't need have to set rootbinddn or provide a ldap.secret file, YMMV. You can then test with getent group or getent passwd. However, getent(1) is only available with FreeBSD-7 onwards. If you aren't using FreeBSD-7, the simplest way to test is to create a file whose user and group ownership refers to the LDAP entries, and then see if a simple ls -l displays correctly. Once you've verified that this is working, you can then configure pam_ldap: cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf Again, set the bind_timelimit and bind_policy to ensure you don't hang your system if the LDAP server isn't up. To configure PAM, you have to add a reference to pam_ldap in the appropriate PAM files in /etc/pam.d. Here's my snippet in /etc/pam.d/login to allow a console login: # auth auth sufficient pam_self.so no_warn auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth include system ... The pam_ldap.so reference will need to be added to other pamd.d files as required, eg: imap, gdm, kde, xdm. Hope this helps. -- Jonathan Chen [EMAIL PROTECTED] -- Opportunities are seldom labeled ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
2008/2/14, Jonathan Chen [EMAIL PROTECTED]: On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote: I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! The first thing for you to do is to set up your LDAP tree, with your users using objectClass=posixAccount, and your groups with objectClass=posixGroup. Then make the following changes to /etc/nsswitch.conf: group: files ldap passwd: files ldap You then have to install the ports net/nss_ldap and security/pam_ldap. The strategy you should adopt is to first get nss_ldap working before looking at pam_ldap. To configure nss_ldap: cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf When editing the nss_ldap.conf, the entries of particular interest are bind_timelimit and bind_policy, which will need to be changed so that the system will still allow you login locally even if the LDAP server is not running. I've got mine set to: bind_timelimit 3 bind_policy soft Make sure your nss_base_passwd and nss_base_group are set correctly. I foudn that I didn't need have to set rootbinddn or provide a ldap.secret file, YMMV. You can then test with getent group or getent passwd. However, getent(1) is only available with FreeBSD-7 onwards. If you aren't using FreeBSD-7, the simplest way to test is to create a file whose user and group ownership refers to the LDAP entries, and then see if a simple ls -l displays correctly. Once you've verified that this is working, you can then configure pam_ldap: cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf Again, set the bind_timelimit and bind_policy to ensure you don't hang your system if the LDAP server isn't up. To configure PAM, you have to add a reference to pam_ldap in the appropriate PAM files in /etc/pam.d. Here's my snippet in /etc/pam.d/login to allow a console login: # auth auth sufficient pam_self.so no_warn auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth include system ... The pam_ldap.so reference will need to be added to other pamd.d files as required, eg: imap, gdm, kde, xdm. Hope this helps. -- Jonathan Chen [EMAIL PROTECTED] Well, I must say that this is almost more than I could imagine to get out of my request..! I will absolutely try this method as soon as possible. I hope I can make it work, and I will report back with experiences (and hopefully not) problems/questions. Regards, Jon Theil Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
Hi, I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if I read through the link you gave. My first impression is: - pam-ldap is used for authentication: allow the user to login to the machine - nss-ldap is used by the system when it needs to resolve things like gid-group name, user home directory, etc. I will give it a try soon. Though I am looking one step ahead, how to allow a user to authenticate to this machine and not that machine, using the same ldap directory. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP user authentication?
On Fri, Feb 15, 2008 at 09:45:23AM +0700, Olivier Nicole wrote: Hi, I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if I read through the link you gave. My first impression is: - pam-ldap is used for authentication: allow the user to login to the machine - nss-ldap is used by the system when it needs to resolve things like gid-group name, user home directory, etc. I will give it a try soon. Though I am looking one step ahead, how to allow a user to authenticate to this machine and not that machine, using the same ldap directory. This can be done by setting pam_check_host_attr in ldap.conf for pam_ldap. Cheers. -- Jonathan Chen [EMAIL PROTECTED] --- One, with God, is always a majority, but many a martyr has been burned at the stake while the votes were being counted. -- Thomas B. Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
LDAP user authentication?
I have googled for a very long time, but I haven't found any useful howto on this issue. Well, there is http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html but that seems to be a bit confusing an not up-to-date. I guess it _should_ be possible - and indeed very useful (especially combinde with Samba PDC and an easily maintainlable mail server). So please, if you have any experiences or knowledge of a useful description..! Regards, Jon Theil Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]