mkdir /usr/local/etc/openldap/slapd.d/ cp -v /usr/local/etc/openldap/slapd.ldif.sample /usr/local/etc/openldap/slapd.d/slapd.ldif

now edit the file slapd.ldif and at least change: #

< olcArgsFile: /var/db/run/slapd.args
< olcPidFile: /var/db/run/
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/

because that is where FreeBSD expects openldap to put these files.


This does not work yet

# create the configuration database out of the ldif file:
slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.d/slapd.ldif
# start slapd with debug option to see error messages (CTRL-c if it works)
/usr/local/libexec/slapd -d1 -F /usr/local/etc/openldap/slapd.d/
# /etc/rc.conf.local
# the following line makes slapd use slapd.d folder instead of slapd.conf

This worked #

Edit /usr/local/etc/slapd.conf, add further schema and enable the correct backend:


include         /usr/local/etc/openldap/schema/core.schema
+include  /usr/local/etc/openldap/schema/cosine.schema
+include  /usr/local/etc/openldap/schema/inetorgperson.schema
+include  /usr/local/etc/openldap/schema/nis.schema


-#moduleload      back_mdb
+moduleload      back_mdb


suffix          "dc=coderonline,dc=de"
rootdn          "cn=Manager,dc=coderonline,dc=de"


Import the settings from the config. Background is, that the conf-format gets converted into an LDAP config entry. This can be done by calling:

slapadd -f /usr/local/etc/openldap/slapd.conf

Now activate slapd (and do not configure slapd_cn_config, because that would expect files to live under /usr/local/etc/openldap/slapd.d)

# /etc/rc.conf.local
# the following line makes slapd use slapd.d folder instead of slapd.conf
# slapd_cn_config="YES"

Create a test user

If this is the LDIF-file max-people-coderonline-de:

dn: cn=max,ou=groups,dc=coderonline,dc=de
objectClass: posixGroup
objectClass: top
gidNumber: 10000
cn: max

dn: uid=max,ou=people,dc=coderonline,dc=de
sn: pohle
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/max
loginShell: /bin/tcsh
userPassword: thisisatest
uid: max
cn: max

Call slapadd -l max-people-coderonline-de to import the user.

@TODO: there is also a field called authPassword, which is probably for the NT Domain. Further investigation is required.

SSH login with PAM #

Nice to have packages (FreeBSD):

pkg install pam_ldap nss_ldap pam_mkhomedir

Where the first provides the functionality, the second shows user and group names when using ls -l and the this can be used to automatically create home folders when users log in.

pam_ldap #

insert into /etc/pam.d/sshd (order matters):

auth            sufficient        no_warn


session         required


NSS is for uid and gid what is DNS for domains. It translates into names. To configure it /etc/nsswitch.conf is used and is a colon separated file with the name in the first column and space separated values in the second. For LDAP we adjust

-group: compat
+group: files ldap
-passwd: compat
+passwd: files ldap

and we also want to configure /usr/local/etc/nss_ldap.conf, at least host and base and perhaps make the base names for users and groups explicit, e.g.

nss_base_passwd ou=people,dc=coderonline,dc=de
nss_base_group  ou=group,dc=coderonline,dc=de

which can directly be tested with something like id max if you have a user max

We check if it works with ldapsearch

ldapsearch -b uid=max3,ou=people,dc=coderonline,dc=de

cpu - change password utility #

This is a good simplification script to manage user account and groups from the command line and it is included in many distributions or here.

Most important man page #

man cpu-ldap

Most important commands #

cpu cat                   # list all users and groups similar to /etc/passwd

cpu useradd testuser1     # create user account
cpu usermod testuser1 -p  # change password

cpu groupadd testgroup    # create a group
cpu groupmod -n test01    # rename group to test01