LDAP/Setup - FreeBSD Wiki

To setup a basic LDAP server with Unix user management, we will need the following

OpenLDAP as an LDAP Server
ldapscripts to manage Unix users in LDAP

Assumptions

Your company domain is awesome.com
Your LDAP server sits at ldap.awesome.com

Installing LDAP

pkg install openldap26-server

Please keep in mind that the version may change in the future, e.g. openldap27-server. You can run pkg search openldap to find the latest version.

Configuring LDAP

Start by modifying /usr/local/etc/openldap/ldap.conf, and use the following inside:

BASE    dc=awesome,dc=com
URI     ldap://ldap.awesome.com

Next, edit /usr/local/etc/openldap/slapd.conf and modify/set the following:

Append the following after core.schema:

include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema

Uncomment moduleload back_ldap
Set a root password for the config database:

rootpw VerySecretAutoGeneratedPassword

Set the suffix and rootdn for the mdb database:

suffix          "dc=awesome,dc=com"
rootdn          "cn=admin,dc=awesome,dc=com"

Set the root password for the mdb database using slappasswd utility:

rootpw          {SSHA}TheOutputOfSlapPasswd

Finally, edit /usr/local/etc/openldap/slapd.ldif and modify the following inside:

Set olcSuffix and olcRootDN:

olcSuffix: dc=awesome,dc=com
olcRootDN: cn=admin,dc=awesome,dc=com

Set olcRootPW:

olcRootPW: {SSHA}TheOutputOfSlapPasswd

Installing LDAPScripts

LDAPScripts is a collection of scripts to manage POSIX accounts in an OpenLDAP directory.

pkg install ldapscripts

Configuring LDAPScripts

Edit file /usr/local/etc/ldapscripts/ldapscripts.conf and modify the following:

Set SERVER:

SERVER="ldap://ldap.awesome.com"

Set SUFFIX:

SUFFIX="dc=awesome,dc=com"

Set BINDDN:

BINDDN="cn=admin,dc=awesome,dc=com"

(Personal Preference) Start the UID from 10000, GID from 15000, MID from 20000:

GIDSTART="15000" # Group ID                                                    
UIDSTART="10000" # User ID                                                     
MIDSTART="20000" # Machine ID

Set the home directory and default shell. If you're planning on using NFSHome, then make sure that you modify UHOMES as needed.
Fix PASSWORDGEN, as some FreeBSD versions don't run properly without env:

PASSWORDGEN="cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c18"

Set the correct path of iconv and charset:

ICONVBIN="/usr/bin/iconv"
ICONVCHAR="ISO-8859-15"

Done!

We can finally initialize the LDAP directory with Unix data by running

ldapinit

pingable?

Make sure that ldap.awesome.com is reachable via ICMP. You can check by running ping -t4 ldap.awesome.com. If you haven't configured DNS yet, you may want to modify /etc/hosts.

Using LDAPScripts

Say we want to have a group named admins for administrators and a user named john, that should be a member of administrators.

ldapaddgroup admins
ldapaddgroup john 10000
ldapadduser  john john
ldapaddusertogroup john admins

And we can check by using ldapid:

# ldapid john
uid=10000(john) gid=10000(john) groups=10000(john),15000(admins)

Next Steps

Next, you might want to:

Configure LDAP client using SSSD
Use AutoFS with NFS shares and SSSD for authentication

TODO

* Add SSL/TLS Encryption.