====== LDAP Client at FreeBSD ======
http://www.weithenn.idv.tw/cgi-bin/wiki.pl
http://mail.lsps.tp.edu.tw/~gsyan/freebsd2001/pam_ldap.html
===== 透過 PAM 認證使用者 =====
==== install ====
安裝 nss_ldap、pam_ldap、pam_mkhomedir
# cd /usr/ports/net/nss_ldap/
# make install clean
# cd /usr/ports/security/pam_ldap
# make install clean
# cd /usr/ports/security/pam_mkhomedir
# make install clean
==== configure ====
複製 LDAP 設定檔和 nss_ldap 設定檔,兩個設定檔格式相同
# cd /usr/local/etc
# cp ldap.conf.dist ldap.conf
# ln -s ldap.conf nss_ldap.conf
修改 LDAP 設定檔
host ldap.server
base dc=padl,dc=com
bind_timelimit 5
bind_policy soft
pam_password clear
nss_base_passwd ou=People,dc=padl,dc=com?one
nss_base_group ou=Group,dc=padl,dc=com?one
==== nsswitch.conf ====
/etc/nsswitch.conf
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
==== pam.d ====
/etc/pam.d/ 設定哪些服務要透過 pam 認證
=== sshd ===
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass #加入 pam_ldap
auth required pam_unix.so no_warn try_first_pass
session required /usr/local/lib/pam_mkhomedir.so # 自動產生 home directory
session required pam_permit.so
=== system ===
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
===== Feuture =====
pam_mkhomedir 在 FreeBSD 6 好像不能用,需要自己修改......
處理方式:[[freebsd:pam_mkhomedir]]