pkg install nss-pam-ldapd
Edit /usr/local/etc/nslcd.conf with:
... uri ldap://ldap.example.com ldap_version 3 base dc=example,dc=com scope sub ssl no
Restart nslcd service:
service nslcd restart
Edit /etc/pam.d/system with the following:
Note: For brevity I'm only showing the pam_ldap and pam_unix lines so you know where they need to be in relation to each other.
... auth sufficient /usr/local/lib/pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok ... account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user ... password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
And similar changes to /etc/pam.d/sshd:
... auth sufficient /usr/local/lib/pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass ... account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user ... password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
Edit /etc/nsswitch.conf with:
... group: files ldap ... passwd: files ldap ...
You can test it by trying to see a user's ID is available:
id exampleuser
You can also try using getent:
getent passwd exampleuser
In both cases you should get some sort of valid output, and in the latter you should see an “x” for the password attribute (meaning it's an external password).
Hurrah! Have fun with your FreeBSD LDAP setup!