HN
Today

Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

This technical guide details a new, significantly simplified method for integrating FreeBSD 15 with FreeIPA/IDM, leveraging FreeBSD 15's adoption of MIT Kerberos. Previously a complex and fragile endeavor, this approach uses native components and lightweight daemons for robust Kerberos/LDAP authentication. It's popular on HN as it solves a persistent challenge for system administrators operating mixed OS environments, offering a practical, step-by-step solution.

5
Score
0
Comments
#2
Highest Rank
12h
on Front Page
First Seen
Feb 18, 11:00 AM
Last Seen
Feb 18, 10:00 PM
Rank Over Time
7224512131621303029

The Lowdown

The article provides a detailed, step-by-step guide for integrating a FreeBSD 15 system with a FreeIPA/IDM server for centralized Kerberos and LDAP authentication. This new method marks a significant improvement over previous, more complex approaches, primarily due to FreeBSD 15's switch to native MIT Kerberos. The author credits Christian Hofstede-Kuhn for the foundational work, expanding on it with more detailed code snippets and additional improvements for personal documentation.

  • The integration leverages FreeBSD 15's transition from Heimdal to MIT Kerberos, simplifying the authentication stack.
  • It replaces previous complex setups that required recompiling custom packages and using resource-heavy daemons like sssd(8).
  • The new method uses the lightweight nslcd(8) daemon (from net/nss-pam-ldapd) for LDAP lookups.
  • Instructions cover configuring DNS, adding the FreeBSD host to FreeIPA, and setting up the Kerberos keytab (/etc/krb5.keytab).
  • Detailed steps are provided for krb5.conf and nslcd.conf creation, along with modifying nsswitch.conf for LDAP integration.
  • The guide includes configuring sshd(8) for GSSAPI authentication and setting up pam_mkhomedir.so for automatic home directory creation on first login.
  • It also demonstrates configuring sudo(8) and doas(1) for FreeIPA users and enabling console login with Kerberos authentication by modifying /etc/pam.d/system.

This updated integration strategy offers a more streamlined and robust way for FreeBSD systems to operate within FreeIPA-managed environments, addressing long-standing complexities with an elegant, native solution.