wiki:freebsd:set_up_ldap_auth_freebsd
Table of Contents
Configuring LDAP Auth on FreeBSD
Install NSS LDAP Package
pkg install nss-pam-ldapd
Configure NSLCD
Edit /usr/local/etc/nslcd.conf with:
... uri ldap://ldap.example.com ldap_version 3 base dc=example,dc=com scope sub ssl no
Restart nslcd service:
service nslcd restart
Configure PAM
Edit /etc/pam.d/system with the following:
Note: For brevity I'm only showing the pam_ldap and pam_unix lines so you know where they need to be in relation to each other.
... auth sufficient /usr/local/lib/pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok ... account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user ... password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
And similar changes to /etc/pam.d/sshd:
... auth sufficient /usr/local/lib/pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass ... account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user ... password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
Configure NSSwitch
Edit /etc/nsswitch.conf with:
... group: files ldap ... passwd: files ldap ...
Testing the Connection
You can test it by trying to see a user's ID is available:
id exampleuser
You can also try using getent:
getent passwd exampleuser
In both cases you should get some sort of valid output, and in the latter you should see an “x” for the password attribute (meaning it's an external password).
Hurrah! Have fun with your FreeBSD LDAP setup!
wiki/freebsd/set_up_ldap_auth_freebsd.txt · Last modified: 2025/01/07 12:36 by Greg