FreeBSD virtual environment management and repository

2020-10 upd: we reached the first fundraising goal and rented a server in Hetzner for development! Thank you for donating !

Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.

Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.

LDAP jail

For installing LDAP CBSD jail use bsdconfig cbsd and Repository submenu, or just follow this steps:

			% cbsd repo action=get sources=img name=ldapsrv

or

		% cbsd repo action=get sources=img name=ldapsrv ver=10.1

If you hosted on another ( non 10.1 ) FreeBSD version.

Execute imghelper that asks you for some questions required for the installation of the jail:

% cbsd imghelper jname=ldapsrv bootstrap=/usr/jails/jails-system/ldapsrv/bin/bootstrap.sh

where: /usr/jails/ is workdir for CBSD.

Now LDAP server ready to use. Do not forget to set astart=1 in cbsd jconfig jname=ldapsrv if you want for starting jail automatically. By the starting jail via

			% cbsd jstart ldapsrv

PHPLdapAdmin will be available for accessing via http://FQDN:

Important:

When a new jail is created or obtaining from the repository, make it a rule ALWAYS change the user's password root in jail, even if you do not plan to run it ssh/ftp/rsh and similar services. If the jail is created with applytpl=0, by default /etc/{passwd,master.passwd,group} in the jail as the original "clean" files FreeBSD, so password of root user is empty. If jail created with applytpl=1 (it also refers to images from repository) $workdir/share/jail-skel files will be used as templates where root password is 'cbsd' in default CBSD installation. You can change default root password when new jail is created via edit of hash in skel master.passwd via:

% vipw -d ${workdir}/share/jail-skel/etc

commands, or specify alternative path to jail-skel dir in .jconf (jcreate tools) config

For non-interactive and automatic deploying (for example you create hosting with lots of RM installation for customer) you can use: 

			% cbsd jconfig jname=ldapsrv ldapsrvinstall cn= cnpw= fqdn= ldapsuffix=

After starting the LDAP jail, you can use /root/example_user.ldif as an example LDIF template to add your user. For this purpose, after the command received password

			% slappasswd -h "{SSHA}" -s yourpassword

fill in the userPassword and run:

			ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f /root/example_user.ldif

LDAP PAM authentication

You can use the LDAP server not only for authorization applications like Asterisk, GitLab, Redmine, OwnCloud, but also to provide centralized management of Unix account on all servers and jails. To add authentication via PAM, you need to install inside the jail follow packages: nss_ldap and pam_ldap. To the home directory is automatically created when you first enter, also need pam_mkhomedir. The following files need to change inside the jails:

  • /usr/local/etc/ldap.conf: 
     URI ldap://%%URI%%
 base %%DC%%
 ldap_version 3
 scope sub
 bind_timelimit 3
 bind_policy soft
 timelimit 3
 idle_timelimit 3

 pam_password SSHA

 pam_filter              objectclass=posixAccount
 pam_check_host_attr     yes
 pam_login_attribute     uid:caseExactMatch:
 pam_member_attribute    memberUid

 pam_lookup_policy no

 nss_base_group %%OU%%,%%DC%%
 nss_base_netgroup %%OU%%,%%DC%%
 nss_initgroups_ignoreusers root,ldap
 nss_connect_policy oneshot
  • /usr/local/etc/nss_ldap.conf 
     uri ldap://%%URI%%
 base %%OU%%,%%DC%%
 ldap_version 3

 timelimit 3
 bind_timelimit 3
 bind_policy soft
 idle_timelimit 3
  • /etc/nsswitch.conf 
     group: files ldap
 passwd: files ldap
  • /usr/local/etc/openldap/ldap.conf 
     nss_reconnect_tried     2
 pam_login_attributes    uid
 pam_member_attributes   cn
 pam_password            SSHA
 nss_base_passwd         %%OU%%,%%DC%%
 nss_base_shadow         %%OU%%,%%DC%%

 TIMEOUT 3
 TIMELIMIT       3
  • /etc/pam.d/ssh 
     auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
 auth            required        pam_unix.so             no_warn try_first_pass
 account         sufficient      /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
 account         required        pam_unix.so
 session         required        /usr/local/lib/pam_mkhomedir.so
 session         required        pam_permit.so
 password        sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
 password        required        pam_unix.so             no_warn try_first_pass

    • All of these changes, you can turn on or off via the command:

    			% cbsd ldapize jname=XXX

    Thus, the previous configuration stored in $systemdir/$jname of ldapize helper directory to he could get back to the previous state

    Example activations and deactivation LDAP authorization.

    			root@home:~ # cbsd ldapize --help
			[helpers] Modify /etc/pam.d/sshd, ldap.conf and nss_ldap.conf in jail for your LDAP service
			require: mode jname
			opt: uri ou dc
			mode= install,deinstall,modify

    User oleg doesn not exist in master.passwd of jldap jail: 

    			cbsd jexec jname=jldap grep oleg /etc/master.passwd

    Activations for jldap jail. (ou=, dc= and uri= value stored in environment):

    root@home:~ # cbsd jls | grep jldap
jldap	4	192.168.1.168/24	jldap.my.domain	/usr/jails/jails/jldap	On
			
root@home:~ # cbsd ldapize jname=jldap mode=install
Original /etc/pam.d/sshd from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d
Original /etc/nsswitch.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc
Original /usr/local/etc/openldap/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap
Original /usr/local/etc/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc
Original /usr/local/etc/nss_ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc
Make sure that you have pam_mkhomedir nss_ldap pam_ldap installed in your jail

% cbsd jexec jname=jldap finger oleg
Login: oleg                             Name: oleg ginzburg
Directory: /home/oleg                   Shell: /bin/csh
Last login Thu Apr 17 17:46 (MSK) on pts/20 from 192.168.1.199
No Mail.
No Plan.

    Deactivation and test:

    root@home:~ # cbsd ldapize jname=jldap mode=deinstall
Original /etc/pam.d/sshd from /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d restored
Original /etc/nsswitch.conf from /usr/jails/jails-system/jldap/module-ldapize/etc restored
Original /usr/local/etc/openldap/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap restored
Original /usr/local/etc/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored
Original /usr/local/etc/nss_ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored

% cbsd jexec jname=jldap finger oleg
finger: oleg: no such user
Copyright © 2013—2024 CBSD Team.