mkdir /usr/local/etc/openldap/slapd.d/ cp -v /usr/local/etc/openldap/slapd.ldif.sample /usr/local/etc/openldap/slapd.d/slapd.ldif
now edit the file slapd.ldif and at least change: #
12,13c12,13
< olcArgsFile: /var/db/run/slapd.args
< olcPidFile: /var/db/run/slapd.pid
---
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid
because that is where FreeBSD expects openldap to put these files.
WIP #
This does not work yet
# create the configuration database out of the ldif file:
slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.d/slapd.ldif
# start slapd with debug option to see error messages (CTRL-c if it works)
/usr/local/libexec/slapd -d1 -F /usr/local/etc/openldap/slapd.d/
# /etc/rc.conf.local
slapd_enable="YES"
# the following line makes slapd use slapd.d folder instead of slapd.conf
slapd_cn_config="YES"
This worked #
Edit /usr/local/etc/slapd.conf, add further schema and enable the correct
backend:
[...]
include /usr/local/etc/openldap/schema/core.schema
+include /usr/local/etc/openldap/schema/cosine.schema
+include /usr/local/etc/openldap/schema/inetorgperson.schema
+include /usr/local/etc/openldap/schema/nis.schema
[...]
-#moduleload back_mdb
+moduleload back_mdb
[...]
suffix "dc=coderonline,dc=de"
rootdn "cn=Manager,dc=coderonline,dc=de"
[...]
Import the settings from the config. Background is, that the conf-format gets converted into an LDAP config entry. This can be done by calling:
slapadd -f /usr/local/etc/openldap/slapd.conf
Now activate slapd (and do not configure slapd_cn_config, because that
would expect files to live under /usr/local/etc/openldap/slapd.d)
# /etc/rc.conf.local
slapd_enable="YES"
# the following line makes slapd use slapd.d folder instead of slapd.conf
# slapd_cn_config="YES"
Create a test user
If this is the LDIF-file max-people-coderonline-de:
dn: cn=max,ou=groups,dc=coderonline,dc=de
objectClass: posixGroup
objectClass: top
gidNumber: 10000
cn: max
dn: uid=max,ou=people,dc=coderonline,dc=de
sn: pohle
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/max
loginShell: /bin/tcsh
userPassword: thisisatest
uid: max
cn: max
Call slapadd -l max-people-coderonline-de to import the user.
@TODO: there is also a field called authPassword, which is probably for the
NT Domain. Further investigation is required.
SSH login with PAM #
Nice to have packages (FreeBSD):
pkg install pam_ldap nss_ldap pam_mkhomedir
Where the first provides the functionality, the second shows user and group
names when using ls -l and the this can be used to automatically create
home folders when users log in.
pam_ldap #
insert into /etc/pam.d/sshd (order matters):
auth sufficient pam_ldap.so no_warn
[...]
session required pam_mkhomedir.so
NSS #
NSS is for uid and gid what is DNS for domains. It translates into names.
To configure it /etc/nsswitch.conf is used and is a colon separated file
with the name in the first column and space separated values in the second.
For LDAP we adjust
-group: compat
+group: files ldap
-passwd: compat
+passwd: files ldap
and we also want to configure /usr/local/etc/nss_ldap.conf, at least
host and base and perhaps make the base names for users and groups
explicit, e.g.
nss_base_passwd ou=people,dc=coderonline,dc=de
nss_base_group ou=group,dc=coderonline,dc=de
which can directly be tested with something like id max if you have a user
max
We check if it works with ldapsearch
ldapsearch -b uid=max3,ou=people,dc=coderonline,dc=de
cpu - change password utility #
This is a good simplification script to manage user account and groups from the command line and it is included in many distributions or here.
Most important man page #
man cpu-ldap
Most important commands #
cpu cat # list all users and groups similar to /etc/passwd
cpu useradd testuser1 # create user account
cpu usermod testuser1 -p # change password
cpu groupadd testgroup # create a group
cpu groupmod -n test01 # rename group to test01