2008/2/14, Jonathan Chen <[EMAIL PROTECTED]>:
> On Wed, Feb 13, 2008 at 08:10:57PM +0100, Jon Theil Nielsen wrote:
> > I have googled for a very long time, but I haven't found any useful
> > howto on this issue. Well, there is
> > but that seems to be a bit confusing an not up-to-date. I guess it
> > _should_ be possible - and indeed very useful (especially combinde
> > with Samba PDC and an easily maintainlable mail server). So please, if
> > you have any experiences or knowledge of a useful description..!
> The first thing for you to do is to set up your LDAP tree, with your
> users using objectClass=posixAccount, and your groups with
> Then make the following changes to /etc/nsswitch.conf:
> group: files ldap
> passwd: files ldap
> You then have to install the ports net/nss_ldap and security/pam_ldap.
> The strategy you should adopt is to first get nss_ldap working before
> looking at pam_ldap.
> To configure nss_ldap:
> cp /usr/local/etc/nss_ldap.conf.sample /usr/local/etc/nss_ldap.conf
> When editing the nss_ldap.conf, the entries of particular interest
> are "bind_timelimit" and "bind_policy", which will need to be changed
> so that the system will still allow you login locally even if the LDAP
> server is not running. I've got mine set to:
> bind_timelimit 3
> bind_policy soft
> Make sure your "nss_base_passwd" and "nss_base_group" are set correctly.
> I foudn that I didn't need have to set "rootbinddn" or provide a ldap.secret
> file, YMMV.
> You can then test with "getent group" or "getent passwd". However,
> getent(1) is only available with FreeBSD-7 onwards. If you aren't
> using FreeBSD-7, the simplest way to test is to create a file whose
> user and group ownership refers to the LDAP entries, and then see if
> a simple "ls -l" displays correctly.
> Once you've verified that this is working, you can then configure
> cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf
> Again, set the bind_timelimit and bind_policy to ensure you don't hang
> your system if the LDAP server isn't up.
> To configure PAM, you have to add a reference to pam_ldap in the
> appropriate PAM files in /etc/pam.d. Here's my snippet in
> /etc/pam.d/login to allow a console login:
> # auth
> auth sufficient pam_self.so no_warn
> auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
> auth include system
> The pam_ldap.so reference will need to be added to other pamd.d files
> as required, eg: imap, gdm, kde, xdm.
> Hope this helps.
> Jonathan Chen <[EMAIL PROTECTED]>
Well, I must say that this is almost more than I could imagine to get
out of my request..! I will absolutely try this method as soon as
possible. I hope I can make it work, and I will report back with
experiences (and hopefully not) problems/questions.
Jon Theil Nielsen
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"