UPDATE Tue 8 Nov 2005 4:05pm: If you are interested in using Active Directory users and groups on FreeBSD please read the updated version of this post: FreeBSD Users and Groups with Samba (Winbind) and Active Directory. This updated version doesn’t have the LDAP requirements that his how to does.
Back in January of I had mentioned using SFU with nss_ldap on FreeBSD on my old blog. Now that I’ve got a couple of fresh Windows 2000 servers with Active Directory and SFU (Windows Services For Unix) I figured now was a good time to write a howto on making FreeBSD use nss_ldap and pam_ldap in conjunction with Active Directory. I’m using Windows 2000, SFU 3.5, FreeBSD 5.2.1-RELEASE, nss_ldap 1.204_5 and pam_ldap 1.6.9 for this write up.
- Windows: Have Active Directory up and running. If you are starting from scratch you may want to look at my entry on installing a new Windows 2000 server.
- Windows: Have SFU installed, specifically ‘Server for NIS’. Installing that will alter the Active Directory LDAP schema and add a ‘Unix Attributes’ tab to the user properties window.
- Windows: Add unix attributes to groups and users that you need to use via nss_ldap.
-
FreeBSD: Install
net/nss_ldapandsecurity/pam_ldapfrom the FreeBSD ports collection. -
FreeBSD: Create the file
/usr/local/etc/ldap.conf, add the following (using your own info instead of the example.com info):uri ldap://yourldapserver.example.com/ base dc=example,dc=com ldap_version 3 binddn administrator@example.com bindpw AdminPasswordHere scope sub pam_login_attribute msSFU30Name pam_password ad nss_base_passwd cn=users,dc=example,dc=com?one nss_base_group cn=users,dc=example,dc=com?one nss_map_objectclass posixAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember posixMember nss_map_attribute cn sAMAccountName
-
FreeBSD: Restrict access to
/usr/local/etc/ldap.confwithchmod 400 ldap.conf. -
FreeBSD: Create a symlink for
/usr/local/etc/nss_ldap.confpointing to/usr/local/etc/ldap.conf(ln -s ldap.conf nss_ldap.conf). You can use two different config files, but in this example I’m putting everything in one file. -
FreeBSD: Create the file
/etc/nsswitch.conf, add the following:passwd: files ldap group: files ldap
-
FreeBSD: In
/etc/pam.dadd the following line to the service files (in the auth section of each file) that will need to use ldap authentication, likely targets would includesshd,imap,ftpdandother.auth sufficient /usr/local/lib/pam_ldap.so
That’s it, at this point your FreeBSD system should know about Active Directory users and groups and also authenticate those users against Active Directory. You can test it by using finger or id for an Active Directory user that has unix attributes. Remember to include an auth line for pam_ldap in every service that will need to authenticate users.
Even though everything works at this point, there are still a couple of things to be aware of. First off, all of the ldap traffic is in the clear on the network. Wrapping up all of that traffic in SSL would be a good idea. There are a couple of different ways to do that, that will have to wait for another post though. Also, there are no home directories created for users. If you expect an Active Directory user to ssh into your FreeBSD box then you’ll want to create their home directory and give it correct permissions. There are a couple of pam modules floating around that support automatic creation of home directories, but as far as I know they haven’t been ported to FreeBSD (see pam_mkhomedir for Solaris and Linux-PAM which has a linux version of pam_mkhomedir). Leave a comment if you find (or do it yourself) a pam_mkhomedir that works with FreeBSD, I’ll be happy to include it in this howto.