Setting up the client is really simple, it just needs a couple of small things set up.
First and foremost: if there's a problem with the ldap server, and you try to login via the console, then logging in with any user account might take some time!!
It will happen, so be patient.
Do not use pam_ldap and nss_ldap anymore! Instead, use nss-pam-ldap, which seems to be actively maintained!!
installation commands
pkg install openldap26-client openssl nss_pam_ldap
service nscd enable
service nslcd enable
now, edit ldap.conf:
nano /usr/local/etc/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=local,dc=com
SSL start_tls
URI ldap://ldap.local.com
TLS_CACERT /usr/local/etc/openldap/cacert.crt
ldap_version 3
pam_login_attribute uid
create a new file for /usr/local/etc/nslcd.conf:
nano /usr/local/etc/nslcd.conf
uid nslcd
gid wheel
uri ldap://ldap.local.com/
base dc=local,dc=com
#binddn uid=mdbadmin,dc=local,dc=com
#bindpw Showmtm
bind_timelimit 3
idle_timelimit 10
timelimit 1
reconnect_retrytime 3
nss_initgroups_ignoreusers ALLLOCAL
Note: the times are kept fairly short. Specially the reconnect_retrytime is only 3 seconds. The reason being: if you log in on local console, then at least you do not have to wait a minute before it logs in!
Considering that the ldap server is a fairly important service, it shouldn't be offline much, and if so, for a shortes possible amount of time.
finishing commmands
chown nclcd /usr/local/etc/nslcd.conf
chmow 700 /usr/local/etc/nslcd.conf
service sshd restart
service nscd start
service nslcd start
Next make sure that pam knows about ldap, at first the system itself:
nano /etc/pam.d/system
#
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_ldap.so use_authok
password required pam_unix.so no_warn try_first_pass
Next sshd:
nano /etc/pam.d/sshd
#
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass minimum_uid=1000
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user minimum_uid=1000
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
session required pam_mkhomedir.so umask=0077
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_ldap.so use_authok minimum_uid=1000
password required pam_unix.so no_warn try_first_passd
Tell nssswitch we want to use ldap also:
nano /etc/nssswitch.conf
# in the file look for these lines:
group: compat
passwd: compat
# and change these into:
group: files cache ldap
passwd: files cache ldap
Yes, you can do that last command while being logged in on ssh yourself at the moment!
Last thing to do: copy the ca.crt from the server if we did use a self-signed certificate. Otherwise, we don't need it!
Also, it's nice to have the hosts file from the server, which should have all the ip addresses etc.
This is done easy:
fetching files
scp user@ldap.local.com:/etc/hosts /etc/hosts
scp user@ldap.local.com:/usr/local/etc/openldap/certs/ca.crt /usr/local/etc/openldap/cacert.crt
With that, the client setup is done. Reboot the server and you should be able to login using a user that doesn't exist in /etc/passwd on this machine!