I use a single FreeBSD host at home to serve NFS, DNS, and LDAP within jails. These are my build steps and configuration details:

Primary FreeBSD domain
# cat /etc/rc.conf
# General
hostname="biff"
ifconfig_re0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"
zfs_enable="YES"
pureftpd_enable="YES"

# NFS
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
nfsuserd_flags="-domain hillvalley"

# Jails for griff and buford
cloned_interfaces="lo1 lo2"
ezjail_enable="YES"
jail_griff_parameters="allow.raw_sockets=1"
jail_buford_parameters="allow.raw_sockets=1"

# pkg install sudo
# pkg install bash
# pkg install pam_ldap
# pkg install nss_ldap
# zpool create paulie /dev/ada2
# zpool add paulie mirror /dev/ada2 /dev/ada3
# pkg install ezjail
# service netif cloneup
# service ezjail start
# ezjail-admin install -p
# ezjail-admin create griff 'lo1|127.0.1.1,re0|192.168.1.102'
# ezjail-admin create buford 'lo1|127.0.2.1,re0|192.168.1.103'
# ezjail-admin start griff
# ezjail-admin start buford
BIND DNS jail - griff
# ezjail-admin console griff
# passwd
# tzsetup
# sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
# sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/griff.my.domain griff/' /etc/hosts
# pkg install sudo
# pkg install bash
# pkg install pam_ldap
# pkg install nss_ldap
# pkg install bind99
# cat /usr/local/etc/namedb/named.conf
options {
	directory	"/usr/local/etc/namedb/working";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";
	forwarders { 208.67.222.222; 208.67.220.220; };
};

zone "hillvalley" {
	type master;
	file "/usr/local/etc/namedb/hillvalley.db";
};

zone "1.168.192.in-addr.arpa" {
	type master;
	file "/usr/local/etc/namedb/1.168.192.db";
};

zone "100.168.192.in-addr.arpa" {
	type master;
	file "/usr/local/etc/namedb/100.168.192.db";
};

# cat /usr/local/etc/namedb/hillvalley.db 
$TTL 3h
@	IN	SOA	griff.hillvalley. paulie.griff.hillvalley. (
	2017120700
	28800
	3600
	604800
	38400
)

hillvalley.	IN	NS	griff.hillvalley.

flux		IN	A	192.168.100.1 ; Modem		(SB6120)
delorean	IN	A	192.168.1.1   ; Router		(ASUS RT-N66U)
biff		IN	A	192.168.1.101 ; NFS Server 	(FreeBSD 11.1)
griff		IN	A	192.168.1.102 ; DNS Server	(FreeBSD Jail)
buford		IN	A	192.168.1.103 ; LDAP Server	(FreeBSD Jail)
marty		IN	A	192.168.1.104 ; Workstation	(Paul)
doc		IN	A	192.168.1.105 ; MacBook Air	(Paul Home)
einstein	IN	A	192.168.1.106 ; iPhone 7	(Paul)
jennifer	IN	A	192.168.1.107 ; Galaxy S7	(Audrey)
lorraine	IN	A	192.168.1.108 ; Lenovo Laptop	(Audrey Home) 
goldie		IN	A	192.168.1.109 ; Nest 		(Thermostat)
clara		IN	A	192.168.1.110 ; Fire TV		(Home Theater)
maggie		IN	A	192.168.1.111 ; Boxee		(Home Theater)
marvin		IN	A	192.168.1.112 ; Nest Protect	(Upstairs)
strickland	IN	A	192.168.1.113 ; Fire TV 	(Bedroom)
peabody		IN	A	192.168.1.114 ; Fire TV Stick	(Exercise Room)
dave		IN	A	192.168.1.115 ; Nest Protect	(Basement)
linda		IN	A	192.168.1.116 ; Lenovo Laptop	(Audrey Work)
george		IN	A	192.168.1.117 ; MacBook Pro	(Paul Work)
copernicus	IN	A	192.168.1.118 ; Litter-Robot	(Fibonacci)
seamus		IN	A	192.168.1.119 ; Echo Spot	(Kitchen)
match		IN	A	192.168.1.120 ; Fire TV		(Bedroom)
skinhead	IN	A	192.168.1.121 ; Fire TV		(Home Theater)

# cat /usr/local/etc/namedb/1.168.192.db 
$TTL 3h
@	IN	SOA	griff.hillvalley. paulie.griff.hillvalley. (
	2017122200
	28800
	3600
	604800
	38400
)

	IN	NS	griff.hillvalley.

1       IN      PTR     delorean.hillvalley.    ; Router        (ASUS RT-N66U)
101     IN      PTR     biff.hillvalley.        ; NFS Server    (FreeBSD 11.1)
102     IN      PTR     griff.hillvalley.       ; DNS Server    (FreeBSD Jail)
103     IN      PTR     buford.hillvalley.      ; LDAP Server   (FreeBSD Jail)
104     IN      PTR     marty.hillvalley.       ; Workstation   (Paul)
105     IN      PTR     doc.hillvalley.         ; MacBook Air   (Paul Home)
106     IN      PTR     einstein.hillvalley.    ; iPhone 7      (Paul)
107     IN      PTR     jennifer.hillvalley.    ; Galaxy S7     (Audrey)
108     IN      PTR     lorraine.hillvalley.    ; Lenovo Laptop (Audrey Home)
109     IN      PTR     goldie.hillvalley.      ; Nest          (Thermostat)
110     IN      PTR     clara.hillvalley.       ; Fire TV       (Home Theater)
111     IN      PTR     maggie.hillvalley.      ; Boxee         (Home Theater)
112     IN      PTR     marvin.hillvalley.      ; Nest Protect  (Upstairs)
113     IN      PTR     strickland.hillvalley.  ; Fire TV       (Bedroom)
114     IN      PTR     peabody.hillvalley.     ; Fire TV Stick (Exercise Room)
115     IN      PTR     dave.hillvalley.        ; Nest Protect  (Basement)
116     IN      PTR     linda.hillvalley.       ; Lenovo Laptop (Audrey Work)
117     IN      PTR     george.hillvalley.      ; MacBook Pro   (Paul Work)
118	IN	PTR	copernicus.hillvalley.	; Litter-Robot	(Fibonacci)
119	IN	PTR	seamus.hillvalley.	; Echo Spot	(Kitchen)
120	IN	PTR	match.hillvalley.	; Fire TV	(Bedroom)
121	IN	PTR	skinhead.hillvalley.	; Fire TV	(Home Theater)

# cat /usr/local/etc/namedb/100.168.192.db 
$TTL 3h
@	IN	SOA	griff.hillvalley. paulie.griff.hillvalley. (
	2013021744
	28800
	3600
	604800
	38400
)

	IN	NS	griff.hillvalley.
1	IN	PTR	flux.hillvalley.	; Modem	(Motorola SB6120)

# echo "named_enable=\"YES\" >> /etc/rc.conf
# echo "sshd_enable=\"YES\" >> /etc/rc.conf
# service named start
# service sshd start
# exit
OpenLDAP jail - buford
# ezjail-admin console buford
# passwd
# tzsetup
# sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
# sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/buford.my.domain buford/' /etc/hosts
# pkg install sudo
# pkg install bash
# pkg install openldap-server
# pkg install pam_ldap
# pkg install nss_ldap
# slappasswd -h '{SHA}'
# cat /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

modulepath	/usr/local/libexec/openldap
moduleload	back_mdb
moduleload	back_ldap

database	mdb
maxsize		1073741824
suffix		"dc=buford,dc=hillvalley"
rootdn		"cn=admin,dc=buford,dc=hillvalley"
rootpw		secret
directory	/var/db/openldap-data
index	objectClass	eq

# cat /usr/local/etc/openldap/hillvalley.ldif 
dn: dc=buford,dc=hillvalley
objectClass: dcObject
objectClass: organization
o: bufford.hillvalley
dc: buford

dn: ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: groups

dn: ou=people,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: people

dn: cn=world,ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: posixGroup
cn: world
gidNumber: 1001

dn: uid=paulie,ou=people,dc=buford,dc=hillvalley
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: Johnson
cn: Paul Johnson
gecos: Paul Johnson
displayName: Paul Johnson
mail: paulie@pauliesworld.org
uid: paulie
uidNumber: 1001
gidNumber: 1001
homeDirectory: /paulie
loginShell: /usr/local/bin/bash
userPassword: secret

# cat /etc/rc.conf
sshd_enable="YES"
slapd_enable="YES" 
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
# service sshd start
# service slapd start
# ldapadd -x -W -H ldap://localhost -D cn=admin,dc=buford,dc=hillvalley -f /usr/local/etc/openldap/hillvalley.ldif
# exit

# cat /etc/pam.d/sshd
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn try_first_pass

account         required        pam_nologin.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown
account         required        pam_unix.so

session         required        pam_permit.so

password        required        pam_unix.so             no_warn try_first_pass

# cat /etc/pam.d/system
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		sufficient	/usr/local/lib/pam_ldap.so   no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok

account		required    	/usr/local/lib/pam_ldap.so   ignore_unknown_user ignore_authinfo_unavail
account		required	pam_login_access.so
account		required	pam_unix.so

session		required	pam_lastlog.so		no_fail

password	required	pam_unix.so		no_warn try_first_pass

# cat /usr/local/etc/ldap.conf
host 192.168.1.103
base dc=buford,dc=hillvalley
bind_timelimit 10
bind_policy hard
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 1
nss_reconnect_maxconntries 1
pam_login_attribute uid

# cat /etc/nsswitch.conf 
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

# cp /etc/nsswitch.conf /usr/jails/griff/etc/nsswitch.conf
# cp /etc/pam.d/sshd /usr/jails/griff/etc/pam.d/sshd
# cp /etc/pam.d/system /usr/jails/griff/etc/pam.d/system
# cp /usr/local/etc/ldap.conf /usr/jails/griff/usr/local/etc/ldap.conf
# cp /etc/nsswitch.conf /usr/jails/buford/etc/nsswitch.conf
# cp /etc/pam.d/sshd /usr/jails/buford/etc/pam.d/sshd
# cp /etc/pam.d/system /usr/jails/buford/etc/pam.d/system
# cp /usr/local/etc/ldap.conf /usr/jails/buford/usr/local/etc/ldap.conf


posted by paulie
20:10 PST - December 22, 2018

Blog Archive by Year

2018 2017 2016 2015 2014 2013 2012 2011 2010 2009