Categories
FreeBSD OS Windows

Active Directory With nss_ldap And pam_ldap On FreeBSD

UPDATE Tue 8 Nov 2005 4:05pm: If you are interested in using Active Directory users and groups on FreeBSD please read the updated version of this post: FreeBSD Users and Groups with Samba (Winbind) and Active Directory. This updated version doesn’t have the LDAP requirements that his how to does.


Back in January of I had mentioned using SFU with nss_ldap on FreeBSD on my old blog. Now that I’ve got a couple of fresh Windows 2000 servers with Active Directory and SFU (Windows Services For Unix) I figured now was a good time to write a howto on making FreeBSD use nss_ldap and pam_ldap in conjunction with Active Directory. I’m using Windows 2000, SFU 3.5, FreeBSD 5.2.1-RELEASE, nss_ldap 1.204_5 and pam_ldap 1.6.9 for this write up.

  1. Windows: Have Active Directory up and running. If you are starting from scratch you may want to look at my entry on installing a new Windows 2000 server.
  2. Windows: Have SFU installed, specifically ‘Server for NIS’. Installing that will alter the Active Directory LDAP schema and add a ‘Unix Attributes’ tab to the user properties window.
  3. Windows: Add unix attributes to groups and users that you need to use via nss_ldap.
  4. FreeBSD: Install net/nss_ldap and security/pam_ldap from the FreeBSD ports collection.
  5. FreeBSD: Create the file /usr/local/etc/ldap.conf, add the following (using your own info instead of the example.com info):
    uri ldap://yourldapserver.example.com/
    base dc=example,dc=com
    ldap_version 3
    binddn administrator@example.com
    bindpw AdminPasswordHere
    scope sub
    pam_login_attribute msSFU30Name
    pam_password ad
    nss_base_passwd cn=users,dc=example,dc=com?one
    nss_base_group cn=users,dc=example,dc=com?one
    nss_map_objectclass posixAccount User
    nss_map_attribute uid msSFU30Name
    nss_map_attribute uidNumber msSFU30UidNumber
    nss_map_attribute gidNumber msSFU30GidNumber
    nss_map_attribute loginShell msSFU30LoginShell
    nss_map_attribute gecos name
    nss_map_attribute userPassword msSFU30Password
    nss_map_attribute homeDirectory msSFU30HomeDirectory
    nss_map_objectclass posixGroup Group
    nss_map_attribute uniqueMember posixMember
    nss_map_attribute cn sAMAccountName
    
  6. FreeBSD: Restrict access to /usr/local/etc/ldap.conf with chmod 400 ldap.conf.
  7. FreeBSD: Create a symlink for /usr/local/etc/nss_ldap.conf pointing to /usr/local/etc/ldap.conf (ln -s ldap.conf nss_ldap.conf). You can use two different config files, but in this example I’m putting everything in one file.
  8. FreeBSD: Create the file /etc/nsswitch.conf, add the following:
    passwd: files ldap
    group: files ldap
    
  9. FreeBSD: In /etc/pam.d add the following line to the service files (in the auth section of each file) that will need to use ldap authentication, likely targets would include sshd, imap, ftpd and other.
    auth            sufficient      /usr/local/lib/pam_ldap.so
    

That’s it, at this point your FreeBSD system should know about Active Directory users and groups and also authenticate those users against Active Directory. You can test it by using finger or id for an Active Directory user that has unix attributes. Remember to include an auth line for pam_ldap in every service that will need to authenticate users.

Even though everything works at this point, there are still a couple of things to be aware of. First off, all of the ldap traffic is in the clear on the network. Wrapping up all of that traffic in SSL would be a good idea. There are a couple of different ways to do that, that will have to wait for another post though. Also, there are no home directories created for users. If you expect an Active Directory user to ssh into your FreeBSD box then you’ll want to create their home directory and give it correct permissions. There are a couple of pam modules floating around that support automatic creation of home directories, but as far as I know they haven’t been ported to FreeBSD (see pam_mkhomedir for Solaris and Linux-PAM which has a linux version of pam_mkhomedir). Leave a comment if you find (or do it yourself) a pam_mkhomedir that works with FreeBSD, I’ll be happy to include it in this howto.

10 replies on “Active Directory With nss_ldap And pam_ldap On FreeBSD”

You should change the line:

nss_map_attribute uniquemember posixMember

to:

nss_map_attribute uniquemember msSFU30PosixMember

if you want to have the linux/unix clients get extended group info / unix private groups

Looking at the info for an account via LDAP, I don’t see an attribute called msSFU30PosixMember. For that matter I don’t see an attribute called posixMember either. Hmmmmm.

msSFU30PosixMember seems to be enabled in the AD schema.

I’m not sure if BSD allows for upg’s (aux groups) but it works for me under linux.

‘getent group’ gives

Boxers:x:10000:

to

Boxers:x:10001:mtyson,ehollyfield,rbalboa

‘id mtyson’ gives

uid=10000(mtyson) gid=10000 groups=10000,10001(Boxers)

Hope that helps.

For Linux there is better alternative to creating home directories which it does not assume pam authentication to be used and much more transparent to applications with many more features.

see http://www.intraperson.com/autodir.html

If there is similar think like autofs kernel module in freeBSD I will come forward to port Autodir to freeBSD.

[…] One of the most popular posts on this blog is the how to: Active Directory With nss_ldap And pam_ldap On FreeBSD. That was almost a year and half ago and things have changed a bit since then. One of the reasons that I’d recommended using LDAP at the time was because Winbind (part of Samba) was troublesome (at least on FreeBSD) and that there wasn’t an easy way to provide a consistent UID to SID mapping across systems. Since then Winbind seems to be quite stable on FreeBSD and with the idmap_rid option you can easily keep the UID to SID mapping consistent across multiple systems. With the release of FreeBSD 6.0 this month I’m ready to update the steps needed to make FreeBSD use Active Directory (AD) users and groups, this time via Samba (Winbind) instead of LDAP. […]

Leave a Reply

Your email address will not be published. Required fields are marked *