Openldap and Multi-Master Replication in FreeBSD – Part IV: Name Server Switch Setup

openldap logo

Name Server Switch using nss-pam-ldapd:

In Part IV, nss-pam-ldapd and /etc/nsswitch.conf are configured to allow the OpenLDAP server to provide user account, group, host name, etc. that would normally come from /etc/passwd, /etc/group, or NIS.

The decision to use the nss-pam-ldapd port in lieu of the nss_ldap was one of personal preference.  In the author’s opinion, having nss, pam, and ldap code separated has presented fewer problems.  The aspect of having the nslcd daemon to start, stop and restart the services makes configuration changes and testing more intuitive and straight forward.  I encourage the reader to visit Arthur de Jong’s site at http://arthurdejong.org/nss-pam-ldapd/  to learn more about nss-pam-ldapd.  In case you don’t have the time to visit his site, see below a graphic of the design and functionality of nss-pam-ldapd from his site.

 

 

nss-pam-ldapd-overview
http://arthurdejong.org/nss-pam-ldapd/

 

Installing nss-pam-ldapd:

# portsnap fetch update
# cd /usr/ports/net/nss-pam-ldapd
# make install clean

 

To enable nslcd on startup add the following to /etc/rc.conf:

nslcd_enable="YES"
nslcd_supervisor="YES"

 

To start nslcd:

# service nslcd start

 

Settings for Server 1:

Below is the /usr/local/etc/nslcd.conf file for server ldap1.loga.us:

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://ldap1.loga.us/

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name of the search base.
base dc=loga,dc=us

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
scope sub
#scope one
#scope base

# Customize certain database lookups.
base group ou=Groups,dc=loga,dc=us
base passwd ou=People,dc=loga,dc=us
base shadow ou=People,dc=loga,dc=us
#scope group onelevel
#scope hosts sub

# Bind/connect timelimit.
bind_timelimit 30

# Search timelimit.
timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid

nss_initgroups_ignoreusers ALLLOCAL

 

 

Settings for Server 2:

Below is the /usr/local/etc/nslcd.conf file for server ldap2.loga.us:

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://ldap2.loga.us/

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name of the search base.
base dc=loga,dc=us

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
scope sub
#scope one
#scope base

# Customize certain database lookups.
base group ou=Groups,dc=loga,dc=us
base passwd ou=People,dc=loga,dc=us
base shadow ou=People,dc=loga,dc=us
#scope group onelevel
#scope hosts sub

# Bind/connect timelimit.
bind_timelimit 30

# Search timelimit.
timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid

nss_initgroups_ignoreusers ALLLOCAL

 

 

/etc/nsswitch.conf configuration changes:

 

Settings for Server 1:

Below is the /etc/nsswitch.conf file for server ldap1:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
shadow: files ldap

 

Settings for Server 2:

Below is the /etc/nsswitch.conf file for server ldap2:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
shadow: files ldap

 

Test the configuration:

By this time, OpenLDAP should be populated with some test data.  If not, please add directory data via command ldapadd or via a web interface such as phpLDAPadmin as demonstrated in Part II of this series.

 

Before testing, restart the nslcd service:

# service nslcd restart

 

Next, invoke getent passwd command to retrieve user data from the OpenLDAP Server as well as the /etc/passwd file:

# getent passwd

 

Below are the results of the getent passed command.  As one can see from the abbreviated results, the command retrieved both /etc/passwd file and OpenLDAP (uid numbers greater than 10000) entries.

ldap:*:389:389:OpenLDAP Server:/nonexistent:/usr/sbin/nologin
nslcd:*:928:928:nslcd daemon:/nonexistent:/usr/sbin/nologin
bhall:*:10005:10001:Bob Hall:/Network/Servers/192.168.0.224/mnt/zfsvol/nfs1/Users/bhall:/bin/sh
ghall:*:10006:10001:George Hall:/Network/Servers/192.168.0.224/mnt/zfsvol/nfs1/Home/ghall:/bin/sh

 

Next, invoke getent group command to retrieve user data from the OpenLDAP Server as well as the /etc/group file:

# getent group

 

Below are the results of the getent group command.  As one can see from the abbreviated results, the command retrieved both /etc/group file and OpenLDAP (gid numbers greater than 10000) entries.

_ntp:*:123
ldap:*:389
nslcd:*:928
Operations:*:10000
Accounting:*:10001

 

Summary:

In Part IV, nss-pam-ldapd and nsswitch.conf  were configured to enable the OpenLDAP Server to provide user account data which is normally served from the /etc/passwd and /etc/group flat files.  In this example, pam authentication was not utilized since system access to the server is not desired.  The final goal of this series of articles is to allow LAN Clients, in particular, Macintosh OS X Clients to login to the Directory Server and have their Home Directories served by a NFS Server and have access to other network shares.

In Part V, TLS is incorporated to ensure encrypted traffic between the LDAP Clients and Servers.

 

Additional Resources:

http://www.openldap.org

http://arthurdejong.org/nss-pam-ldapd/

2 thoughts on “Openldap and Multi-Master Replication in FreeBSD – Part IV: Name Server Switch Setup”

    1. Ralph,

      In my setup, I wanted only the ou=Users to have the ability to log in and authenticate to my server as a system user.

      Regards,

      Scott

Leave a Reply

Your email address will not be published. Required fields are marked *