====== Configuring LDAP Auth on FreeBSD ======

===== Install NSS LDAP Package =====

<code>
pkg install nss-pam-ldapd
</code>

===== Configure NSLCD =====

Edit /usr/local/etc/nslcd.conf with:

<code>
...
uri ldap://ldap.example.com
ldap_version 3
base dc=example,dc=com
scope sub
ssl no
</code>

Restart nslcd service:

<code>
service nslcd restart
</code>

===== Configure PAM =====

Edit /etc/pam.d/system with the following:

**Note:** For brevity I'm only showing the pam_ldap and pam_unix lines so you know where they need to be in relation to each other.

<code>
...
auth		sufficient	/usr/local/lib/pam_ldap.so	try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok

...
account		required	pam_unix.so
account		required	/usr/local/lib/pam_ldap.so	no_warn	ignore_authinfo_unavail	ignore_unknown_user


...
password	sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
</code>

And similar changes to /etc/pam.d/sshd:

<code>
...
auth		sufficient	/usr/local/lib/pam_ldap.so	try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

...
account		required	pam_unix.so
account		required	/usr/local/lib/pam_ldap.so	no_warn	ignore_authinfo_unavail	ignore_unknown_user

...
password	sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
</code>

===== Configure NSSwitch =====

Edit /etc/nsswitch.conf with:

<code>
...
group: files ldap
...
passwd: files ldap
...
</code>

===== Testing the Connection =====

You can test it by trying to see a user's ID is available:

<code>
id exampleuser
</code>

You can also try using **getent**:

<code>
getent passwd exampleuser
</code>

In both cases you should get some sort of valid output, and in the latter you should see an "x" for the password attribute (meaning it's an external password).

Hurrah! Have fun with your FreeBSD LDAP setup!