Table of content
  1. LDAP
  2. NSS & PAM
  3. Caching
  4. nsswitch

Users and groups defined in the LDAP directory will be integrated into the operating system, so as they appear as locally defined.

Don’t use nss_ldap / pam_ldap packages they generate too much request to the LDAP server.

Build information

Ensure the following options:

net/openldap24-sasl-client
1
2

[x] FETCH     Enable fetch(3) support
[ ] GSSAPI    With GSSAPI support (implies SASL support)
net/nss-pam-ldapd
1
2

[x] PAM       Build pam_ldap
[x] NSS       Build nss support

LDAP

The configuration file ldap.conf is located in /usr/local/etc/openldap/ (on system other than FreeBSD, it can usually be found in /etc/).

Setting up the protocol version to use, the default branch and the server to connect to:

ldap.conf
1
2
3

ldap_version    3 
base            dc=example,dc=com
uri             ldaps://ldap.example.com/

NSS & PAM

The nslcd doesn’t required to be run as root so we switch to its dedicated user/group (nslcd):

nslcd.conf
1
2

uid nslcd
gid nslcd

The minimum requirement is to provide the URI to the LDAP server as well as the branch that will serve as base for the requests, from there if conforming to RFC 2307 no customization of the ldap requests are needed.

nslcd.conf
1
2
3

# Basic definitions for LDAP lookup
uri ldaps://ldap.example.com/
base dc=example,dc=com

Lookup into the LDAP directory can be customized to select the appropriates branches, apply filters to the search or remap LDAP attributes.

Here we will specify the branch as well as a filter to use when looking up for users (passwd, shadow) or groups (group):

nslcd.conf
1
2
3
4
5
6
7

# Customize certain database lookups.
base   group  ou=Groups,dc=example,dc=com
filter group  (objectClass=posixGroup)
base   passwd ou=People,dc=example,dc=com
filter passwd (objectClass=posixAccount)
base   shadow ou=People,dc=example,dc=com
filter shadow (objectClass=posixAccount)

Even if in nsswitch, the local database (files) will be looked up before performing an ldap query (ldap), it is advised to ensure that local system account (usually with an uid below 1000) can never be imported.

nslcd.conf
1

nss_min_uid 1000

We don’t allow PAM to change the user password, but prefer to redirect the user to a dedicated webpage where he would be able to do so. This allows us to perform addition checks on the selected password and to convert it so it can be used with ldap, samba, or kerberos.

nslcd.conf
1

pam_password_prohibit_message "To change password: https://password.example.com"

To avoid a chicken and egg problem during the boot process, which can lead to a deadlock, it is possible to ignore some users from the ldap name resolution:

nslcd.conf
1

nss_initgroups_ignoreusers root,ldap,bind

This is normally not necessary if the order used in the nsswitch.conf file is files ldap.

Start the nslcd at boot-time:

rc.conf
1

nslcd_enable="YES"                      # LDAP suport for nss/pam

Caching

In FreeBSD < 12.2, the nscd daemon is broken.

As request over the network are costly, you generally want nsswitch to be able to cache the retrieved data. This is done by using the nscd to perform the caching.

In our example, we only use LDAP lookup to retrieve information about users and groups, so only the passwd and group entry need to be cached (enabled in /etc/nscd.conf).

nscd.conf
1
2

enable-cache passwd yes
enable-cache group yes

And of course the nscd daemon should be started at boot-time:

rc.conf
1

nscd_enable="YES"                       # Enable caching in nsswitch

nsswitch

A typical configuration for nsswitch.conf is to first query the cache provided by nscd (keyword: cache), next if necessary the local database (keyword: files) and if unsuccessful to query the ldap directory (keyword: ldap):

/etc/nsswitch.conf
1
2

passwd: cache files ldap
group: cache files ldap