FreeBSD virtual environment management and repository

2020-10 upd: we reached the first fundraising goal and rented a server in Hetzner for development! Thank you for donating !

Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.

Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.

LDAP jail

For installing LDAP CBSD jail use bsdconfig cbsd and Repository submenu, or just follow this steps:

			% cbsd repo action=get sources=img name=ldapsrv


		% cbsd repo action=get sources=img name=ldapsrv ver=10.1

If you hosted on another ( non 10.1 ) FreeBSD version.

Execute imghelper that asks you for some questions required for the installation of the jail:

% cbsd imghelper jname=ldapsrv bootstrap=/usr/jails/jails-system/ldapsrv/bin/

where: /usr/jails/ is workdir for CBSD.

Now LDAP server ready to use. Do not forget to set astart=1 in cbsd jconfig jname=ldapsrv if you want for starting jail automatically. By the starting jail via

			% cbsd jstart ldapsrv

PHPLdapAdmin will be available for accessing via http://FQDN:


When a new jail is created or obtaining from the repository, make it a rule ALWAYS change the user's password root in jail, even if you do not plan to run it ssh/ftp/rsh and similar services. If the jail is created with applytpl=0, by default /etc/{passwd,master.passwd,group} in the jail as the original "clean" files FreeBSD, so password of root user is empty. If jail created with applytpl=1 (it also refers to images from repository) $workdir/share/jail-skel files will be used as templates where root password is 'cbsd' in default CBSD installation. You can change default root password when new jail is created via edit of hash in skel master.passwd via:

% vipw -d ${workdir}/share/jail-skel/etc

commands, or specify alternative path to jail-skel dir in .jconf (jcreate tools) config

For non-interactive and automatic deploying (for example you create hosting with lots of RM installation for customer) you can use:

			% cbsd jconfig jname=ldapsrv ldapsrvinstall cn= cnpw= fqdn= ldapsuffix=

After starting the LDAP jail, you can use /root/example_user.ldif as an example LDIF template to add your user. For this purpose, after the command received password

			% slappasswd -h "{SSHA}" -s yourpassword

fill in the userPassword and run:

			ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f /root/example_user.ldif

LDAP PAM authentication

You can use the LDAP server not only for authorization applications like Asterisk, GitLab, Redmine, OwnCloud, but also to provide centralized management of Unix account on all servers and jails. To add authentication via PAM, you need to install inside the jail follow packages: nss_ldap and pam_ldap. To the home directory is automatically created when you first enter, also need pam_mkhomedir. The following files need to change inside the jails:

  • /usr/local/etc/ldap.conf:
     URI ldap://%%URI%%
     base %%DC%%
     ldap_version 3
     scope sub
     bind_timelimit 3
     bind_policy soft
     timelimit 3
     idle_timelimit 3
     pam_password SSHA
     pam_filter              objectclass=posixAccount
     pam_check_host_attr     yes
     pam_login_attribute     uid:caseExactMatch:
     pam_member_attribute    memberUid
     pam_lookup_policy no
     nss_base_group %%OU%%,%%DC%%
     nss_base_netgroup %%OU%%,%%DC%%
     nss_initgroups_ignoreusers root,ldap
     nss_connect_policy oneshot
  • /usr/local/etc/nss_ldap.conf
     uri ldap://%%URI%%
     base %%OU%%,%%DC%%
     ldap_version 3
     timelimit 3
     bind_timelimit 3
     bind_policy soft
     idle_timelimit 3
  • /etc/nsswitch.conf
     group: files ldap
     passwd: files ldap
  • /usr/local/etc/openldap/ldap.conf
     nss_reconnect_tried     2
     pam_login_attributes    uid
     pam_member_attributes   cn
     pam_password            SSHA
     nss_base_passwd         %%OU%%,%%DC%%
     nss_base_shadow         %%OU%%,%%DC%%
     TIMEOUT 3
     TIMELIMIT       3
  • /etc/pam.d/ssh
     auth            sufficient      /usr/local/lib/      no_warn try_first_pass
     auth            required             no_warn try_first_pass
     account         sufficient      /usr/local/lib/      no_warn ignore_authinfo_unavail ignore_unknown_user
     account         required
     session         required        /usr/local/lib/
     session         required
     password        sufficient      /usr/local/lib/      no_warn try_first_pass
     password        required             no_warn try_first_pass
  • All of these changes, you can turn on or off via the command:

    			% cbsd ldapize jname=XXX

    Thus, the previous configuration stored in $systemdir/$jname of ldapize helper directory to he could get back to the previous state

    Example activations and deactivation LDAP authorization.

    			root@home:~ # cbsd ldapize --help
    			[helpers] Modify /etc/pam.d/sshd, ldap.conf and nss_ldap.conf in jail for your LDAP service
    			require: mode jname
    			opt: uri ou dc
    			mode= install,deinstall,modify

    User oleg doesn not exist in master.passwd of jldap jail:

    			cbsd jexec jname=jldap grep oleg /etc/master.passwd

    Activations for jldap jail. (ou=, dc= and uri= value stored in environment):

    root@home:~ # cbsd jls | grep jldap
    jldap	4	/usr/jails/jails/jldap	On
    root@home:~ # cbsd ldapize jname=jldap mode=install
    Original /etc/pam.d/sshd from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d
    Original /etc/nsswitch.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/etc
    Original /usr/local/etc/openldap/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap
    Original /usr/local/etc/ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc
    Original /usr/local/etc/nss_ldap.conf from jail stored into: /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc
    Make sure that you have pam_mkhomedir nss_ldap pam_ldap installed in your jail
    % cbsd jexec jname=jldap finger oleg
    Login: oleg                             Name: oleg ginzburg
    Directory: /home/oleg                   Shell: /bin/csh
    Last login Thu Apr 17 17:46 (MSK) on pts/20 from
    No Mail.
    No Plan.

    Deactivation and test:

    root@home:~ # cbsd ldapize jname=jldap mode=deinstall
    Original /etc/pam.d/sshd from /usr/jails/jails-system/jldap/module-ldapize/etc/pam.d restored
    Original /etc/nsswitch.conf from /usr/jails/jails-system/jldap/module-ldapize/etc restored
    Original /usr/local/etc/openldap/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc/openldap restored
    Original /usr/local/etc/ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored
    Original /usr/local/etc/nss_ldap.conf from /usr/jails/jails-system/jldap/module-ldapize/usr/local/etc restored
    % cbsd jexec jname=jldap finger oleg
    finger: oleg: no such user