2020-10 upd: we reached the first fundraising goal and rented a server in Hetzner for development! Thank you for donating !
Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.
Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.
LDAP jail
For installing LDAP CBSD jail use bsdconfig cbsd and Repository submenu, or just follow this steps:
% cbsd repo action=get sources=img name=ldapsrv
or
% cbsd repo action=get sources=img name=ldapsrv ver=10.1
If you hosted on another ( non 10.1 ) FreeBSD version.
Execute imghelper that asks you for some questions required for the installation of the jail:
% cbsd imghelper jname=ldapsrv bootstrap=/usr/jails/jails-system/ldapsrv/bin/bootstrap.sh
where: /usr/jails/ is workdir for CBSD.
Now LDAP server ready to use. Do not forget to set astart=1 in cbsd jconfig jname=ldapsrv if you want for starting jail automatically. By the starting jail via
% cbsd jstart ldapsrv
PHPLdapAdmin will be available for accessing via http://FQDN:
Important:
When a new jail is created or obtaining from the repository, make it a rule ALWAYS change the user's password root in jail, even if you do not plan to run it ssh/ftp/rsh and similar services. If the jail is created with applytpl=0, by default /etc/{passwd,master.passwd,group} in the jail as the original "clean" files FreeBSD, so password of root user is empty. If jail created with applytpl=1 (it also refers to images from repository) $workdir/share/jail-skel files will be used as templates where root password is 'cbsd' in default CBSD installation. You can change default root password when new jail is created via edit of hash in skel master.passwd via:
% vipw -d ${workdir}/share/jail-skel/etc
commands, or specify alternative path to jail-skel dir in .jconf (jcreate tools) config
For non-interactive and automatic deploying (for example you create hosting with lots of RM installation for customer) you can use:
% cbsd jconfig jname=ldapsrv ldapsrvinstall cn= cnpw= fqdn= ldapsuffix=
After starting the LDAP jail, you can use /root/example_user.ldif as an example LDIF template to add your user. For this purpose, after the command received password
% slappasswd -h "{SSHA}" -s yourpassword
fill in the userPassword and run:
ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f /root/example_user.ldif
LDAP PAM authentication
You can use the LDAP server not only for authorization applications like Asterisk, GitLab, Redmine, OwnCloud, but also to provide centralized management of Unix account on all servers and jails. To add authentication via PAM, you need to install inside the jail follow packages: nss_ldap and pam_ldap. To the home directory is automatically created when you first enter, also need pam_mkhomedir. The following files need to change inside the jails:
- /usr/local/etc/ldap.conf:
URI ldap://%%URI%% base %%DC%% ldap_version 3 scope sub bind_timelimit 3 bind_policy soft timelimit 3 idle_timelimit 3 pam_password SSHA pam_filter objectclass=posixAccount pam_check_host_attr yes pam_login_attribute uid:caseExactMatch: pam_member_attribute memberUid pam_lookup_policy no nss_base_group %%OU%%,%%DC%% nss_base_netgroup %%OU%%,%%DC%% nss_initgroups_ignoreusers root,ldap nss_connect_policy oneshot
- /usr/local/etc/nss_ldap.conf
uri ldap://%%URI%% base %%OU%%,%%DC%% ldap_version 3 timelimit 3 bind_timelimit 3 bind_policy soft idle_timelimit 3
- /etc/nsswitch.conf
group: files ldap passwd: files ldap
- /usr/local/etc/openldap/ldap.conf
nss_reconnect_tried 2 pam_login_attributes uid pam_member_attributes cn pam_password SSHA nss_base_passwd %%OU%%,%%DC%% nss_base_shadow %%OU%%,%%DC%% TIMEOUT 3 TIMELIMIT 3
- /etc/pam.d/ssh
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
All of these changes, you can turn on or off via the command:
% cbsd ldapize jname=XXX
Thus, the previous configuration stored in $systemdir/$jname of ldapize helper directory to he could get back to the previous state
Example activations and deactivation LDAP authorization.
root@home:~ # cbsd ldapize --help [helpers] Modify /etc/pam.d/sshd, ldap.conf and nss_ldap.conf in jail for your LDAP service require: mode jname opt: uri ou dc mode= install,deinstall,modify
User oleg doesn not exist in master.passwd of jldap jail:
cbsd jexec jname=jldap grep oleg /etc/master.passwd
Activations for jldap jail. (ou=, dc= and uri= value stored in environment):
root@home:~ # cbsd jls | grep jldap jldap 4 192.168.1.168/24 jldap.my.domain /usr/jails/jails/jldap On root@home:~ # cbsd ldapize jname=jldap mode=install Original /etc/pam.d/sshd from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d Original /etc/nsswitch.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc Original /usr/local/etc/openldap/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap Original /usr/local/etc/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc Original /usr/local/etc/nss_ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc Make sure that you have pam_mkhomedir nss_ldap pam_ldap installed in your jail % cbsd jexec jname=jldap finger oleg Login: oleg Name: oleg ginzburg Directory: /home/oleg Shell: /bin/csh Last login Thu Apr 17 17:46 (MSK) on pts/20 from 192.168.1.199 No Mail. No Plan.
Deactivation and test:
root@home:~ # cbsd ldapize jname=jldap mode=deinstall Original /etc/pam.d/sshd from /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d restored Original /etc/nsswitch.conf from /usr/jails/jails-system/jldap/module-ldapize/etc restored Original /usr/local/etc/openldap/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap restored Original /usr/local/etc/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored Original /usr/local/etc/nss_ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored % cbsd jexec jname=jldap finger oleg finger: oleg: no such user