UPDATE Tue 8 Nov 2005 4:05pm: If you are interested in using Active Directory users and groups on FreeBSD please read the updated version of this post: FreeBSD Users and Groups with Samba (Winbind) and Active Directory. This updated version doesn’t have the LDAP requirements that his how to does.
Back in January of I had mentioned using SFU with nss_ldap on FreeBSD on my old blog. Now that I’ve got a couple of fresh Windows 2000 servers with Active Directory and SFU (Windows Services For Unix) I figured now was a good time to write a howto on making FreeBSD use nss_ldap and pam_ldap in conjunction with Active Directory. I’m using Windows 2000, SFU 3.5, FreeBSD 5.2.1-RELEASE, nss_ldap 1.204_5 and pam_ldap 1.6.9 for this write up.
- Windows: Have Active Directory up and running. If you are starting from scratch you may want to look at my entry on installing a new Windows 2000 server.
- Windows: Have SFU installed, specifically ‘Server for NIS’. Installing that will alter the Active Directory LDAP schema and add a ‘Unix Attributes’ tab to the user properties window.
- Windows: Add unix attributes to groups and users that you need to use via nss_ldap.
-
FreeBSD: Install
net/nss_ldap
andsecurity/pam_ldap
from the FreeBSD ports collection. -
FreeBSD: Create the file
/usr/local/etc/ldap.conf
, add the following (using your own info instead of the example.com info):uri ldap://yourldapserver.example.com/ base dc=example,dc=com ldap_version 3 binddn administrator@example.com bindpw AdminPasswordHere scope sub pam_login_attribute msSFU30Name pam_password ad nss_base_passwd cn=users,dc=example,dc=com?one nss_base_group cn=users,dc=example,dc=com?one nss_map_objectclass posixAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember posixMember nss_map_attribute cn sAMAccountName
-
FreeBSD: Restrict access to
/usr/local/etc/ldap.conf
withchmod 400 ldap.conf
. -
FreeBSD: Create a symlink for
/usr/local/etc/nss_ldap.conf
pointing to/usr/local/etc/ldap.conf
(ln -s ldap.conf nss_ldap.conf). You can use two different config files, but in this example I’m putting everything in one file. -
FreeBSD: Create the file
/etc/nsswitch.conf
, add the following:passwd: files ldap group: files ldap
-
FreeBSD: In
/etc/pam.d
add the following line to the service files (in the auth section of each file) that will need to use ldap authentication, likely targets would includesshd
,imap
,ftpd
andother
.auth sufficient /usr/local/lib/pam_ldap.so
That’s it, at this point your FreeBSD system should know about Active Directory users and groups and also authenticate those users against Active Directory. You can test it by using finger
or id
for an Active Directory user that has unix attributes. Remember to include an auth line for pam_ldap in every service that will need to authenticate users.
Even though everything works at this point, there are still a couple of things to be aware of. First off, all of the ldap traffic is in the clear on the network. Wrapping up all of that traffic in SSL would be a good idea. There are a couple of different ways to do that, that will have to wait for another post though. Also, there are no home directories created for users. If you expect an Active Directory user to ssh into your FreeBSD box then you’ll want to create their home directory and give it correct permissions. There are a couple of pam modules floating around that support automatic creation of home directories, but as far as I know they haven’t been ported to FreeBSD (see pam_mkhomedir for Solaris and Linux-PAM which has a linux version of pam_mkhomedir). Leave a comment if you find (or do it yourself) a pam_mkhomedir that works with FreeBSD, I’ll be happy to include it in this howto.
10 replies on “Active Directory With nss_ldap And pam_ldap On FreeBSD”
re: Integrating Unix and Windows systems – authentication and authorization via Kerberos and LDAP
anyone got this working with Windows 2003?
You should change the line:
nss_map_attribute uniquemember posixMember
to:
nss_map_attribute uniquemember msSFU30PosixMember
if you want to have the linux/unix clients get extended group info / unix private groups
Looking at the info for an account via LDAP, I don’t see an attribute called msSFU30PosixMember. For that matter I don’t see an attribute called posixMember either. Hmmmmm.
msSFU30PosixMember seems to be enabled in the AD schema.
I’m not sure if BSD allows for upg’s (aux groups) but it works for me under linux.
‘getent group’ gives
Boxers:x:10000:
to
Boxers:x:10001:mtyson,ehollyfield,rbalboa
‘id mtyson’ gives
uid=10000(mtyson) gid=10000 groups=10000,10001(Boxers)
Hope that helps.
For Linux there is better alternative to creating home directories which it does not assume pam authentication to be used and much more transparent to applications with many more features.
see http://www.intraperson.com/autodir.html
If there is similar think like autofs kernel module in freeBSD I will come forward to port Autodir to freeBSD.
Information on a patch for the Linux PAM module for use on FreeBSD can be found at
http://lists.freebsd.org/pipermail/freebsd-questions/2003-October/021555.html
Works fine here (5.2.1-RELEASE)
[…] […]
[…] One of the most popular posts on this blog is the how to: Active Directory With nss_ldap And pam_ldap On FreeBSD. That was almost a year and half ago and things have changed a bit since then. One of the reasons that I’d recommended using LDAP at the time was because Winbind (part of Samba) was troublesome (at least on FreeBSD) and that there wasn’t an easy way to provide a consistent UID to SID mapping across systems. Since then Winbind seems to be quite stable on FreeBSD and with the idmap_rid option you can easily keep the UID to SID mapping consistent across multiple systems. With the release of FreeBSD 6.0 this month I’m ready to update the steps needed to make FreeBSD use Active Directory (AD) users and groups, this time via Samba (Winbind) instead of LDAP. […]
There is now a FreeBSD port of pam_mkhomedir.