LDAP Authentication on BSD with PAM and/or NIS

Greg Schenzel <inittab AT unixdev DOT net>
Copyright 2005
GNU Free Documentation License

Often, you will want to use systems that do not have modular NSS functionality. If your primary network authentication system is LDAP then you may want to use it on one these systems. You will need to set up an NIS server and my ldap2nis cronjob. If the client system supports PAM, then the NIS maps can be password-less and authentication may be done via pam_ldap. Otherwise, passwords can be left in the NIS data for full compatibility. Remember the inherent security concerns of broadcasting password data over NIS.

The information on this page applies to systems with and without PAM, but especially those with it (NetBSD 3.0_BETA, FreeBSD 4.x). It is suitable for setting up just one host, or a server with a veritable farm of clients.

  1. On a Server...

    1. Download ldap2nis
    2. Edit ldap2nis-cron.pl, change paths and ldap characteristics. If $hidePassword=false, then you will need to set $bind and $bindpw to a legitimate ldap admin; this is because of password transfer. $server and $base also need to be initialized. Set $hidePassword in accordance with the status of PAM on your clients; if PAM exists, $hidePassword=true!
    3. Run `make install`
    4. Run `/usr/lib/yp/ypinit -m` to initialize the NIS server.
    5. Edit /var/yp/Makefile,
      YPPWDDIR = /etc/ldapnis
      
      If you change this, you will need to have changed it in the perl script as well.
    6. Edit /etc/default/nis, or similar
      YPPWDDIR = /etc/ldapnis
      
      Once again, this should reflect above value.
    7. Run `/etc/init.d/nis start`, or similar
    8. Run the script as root once to check it, then tell cron to do it. e.g. `sudo /usr/local/sbin/ldap2nis-cron.pl`

      Ex. /etc/crontab:
             17 * * * * root /usr/local/sbin/ldap2nis-cron.pl
      
  2. On Solaris 9+, Linux, FreeBSD 5.x clients...

    Don't bother with NIS for NSS data. Use nss_ldap or the Solaris native LDAP client (works for me). Technically, Solaris 8 supports LDAP too, but I never got it to work with OpenLDAP.
  3. On NetBSD 3.0 or FreeBSD 4.x clients...

    Make sure $hidePassword=true in ldap2nis config. Also, $bind may be anonymous or unprivileged user.

    1. Install and configure pam_ldap
      1. Run `pkg_add ftp://ftp.netbsd.org/pub/NetBSD/packages/2.0/i386/All/pam-ldap` or `pkg_add -r pam-ldap`. The former is for NetBSD, but `cd /usr/pkgsrc/security/pam-ldap; make install` may be more wise.
      2. Edit /usr/pkg/etc/ldap.conf
    2. Configure NIS client behavior
      1. Add +::: /etc/group and +:::::::: /etc/passwd entries (in `vipw`)
      2. Set domainname in /etc/rc.conf
      3. Enable ypbind in /etc/rc.conf
      4. Edit /etc/nsswitch.conf, enabling "compat" entries.
    3. Edit /etc/pam.d/* or /etc/pam.conf entries, adding a "sufficient" auth, password, and account record for the new pam_ldap.so file. Use try_first_pass option where appropriate.
    4. `ypcat passwd` should not show passwords. Reboot the client; If pam and pam_ldap have been configured properly, you should be able to log in, change passwords, etc.
  4. On NetBSD 1.x and 2.x clients...

    Make sure $hidePassword=false in ldap2nis config. In this case, $bind MUST reference an LDAP admin for password transfer.

    1. Configure NIS client behavior
      1. Add +::: /etc/group and +:::::::: /etc/passwd entries (in `vipw`)
      2. Set domainname in /etc/rc.conf
      3. Enable ypbind in /etc/rc.conf
      4. Edit /etc/nsswitch.conf, enabling "compat" entries.