I use a single FreeBSD host at home to serve NFS, DNS, and LDAP within jails. These are my build steps and configuration details:
Primary FreeBSD domain
# cat /etc/rc.conf # General hostname="biff" ifconfig_re0="DHCP" sshd_enable="YES" ntpd_enable="YES" zfs_enable="YES" pureftpd_enable="YES" # NFS nfs_server_enable="YES" nfs_server_flags="-u -t -n 4" nfsv4_server_enable="YES" nfsuserd_enable="YES" nfsuserd_flags="-domain hillvalley" # Jails for griff and buford cloned_interfaces="lo1 lo2" ezjail_enable="YES" jail_griff_parameters="allow.raw_sockets=1" jail_buford_parameters="allow.raw_sockets=1" # pkg install sudo # pkg install bash # pkg install pam_ldap # pkg install nss_ldap # zpool create paulie /dev/ada2 # zpool add paulie mirror /dev/ada2 /dev/ada3 # pkg install ezjail # service netif cloneup # service ezjail start # ezjail-admin install -p # ezjail-admin create griff 'lo1|127.0.1.1,re0|192.168.1.102' # ezjail-admin create buford 'lo1|127.0.2.1,re0|192.168.1.103' # ezjail-admin start griff # ezjail-admin start bufordBIND DNS jail - griff
# ezjail-admin console griff
# passwd
# tzsetup
# sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
# sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/griff.my.domain griff/' /etc/hosts
# pkg install sudo
# pkg install bash
# pkg install pam_ldap
# pkg install nss_ldap
# pkg install bind99
# cat /usr/local/etc/namedb/named.conf
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
forwarders { 208.67.222.222; 208.67.220.220; };
};
zone "hillvalley" {
type master;
file "/usr/local/etc/namedb/hillvalley.db";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/1.168.192.db";
};
zone "100.168.192.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/100.168.192.db";
};
# cat /usr/local/etc/namedb/hillvalley.db
$TTL 3h
@ IN SOA griff.hillvalley. paulie.griff.hillvalley. (
2017120700
28800
3600
604800
38400
)
hillvalley. IN NS griff.hillvalley.
flux IN A 192.168.100.1 ; Modem (SB6120)
delorean IN A 192.168.1.1 ; Router (ASUS RT-N66U)
biff IN A 192.168.1.101 ; NFS Server (FreeBSD 11.1)
griff IN A 192.168.1.102 ; DNS Server (FreeBSD Jail)
buford IN A 192.168.1.103 ; LDAP Server (FreeBSD Jail)
marty IN A 192.168.1.104 ; Workstation (Paul)
doc IN A 192.168.1.105 ; MacBook Air (Paul Home)
einstein IN A 192.168.1.106 ; iPhone 7 (Paul)
jennifer IN A 192.168.1.107 ; Galaxy S7 (Audrey)
lorraine IN A 192.168.1.108 ; Lenovo Laptop (Audrey Home)
goldie IN A 192.168.1.109 ; Nest (Thermostat)
clara IN A 192.168.1.110 ; Fire TV (Home Theater)
maggie IN A 192.168.1.111 ; Boxee (Home Theater)
marvin IN A 192.168.1.112 ; Nest Protect (Upstairs)
strickland IN A 192.168.1.113 ; Fire TV (Bedroom)
peabody IN A 192.168.1.114 ; Fire TV Stick (Exercise Room)
dave IN A 192.168.1.115 ; Nest Protect (Basement)
linda IN A 192.168.1.116 ; Lenovo Laptop (Audrey Work)
george IN A 192.168.1.117 ; MacBook Pro (Paul Work)
copernicus IN A 192.168.1.118 ; Litter-Robot (Fibonacci)
seamus IN A 192.168.1.119 ; Echo Spot (Kitchen)
match IN A 192.168.1.120 ; Fire TV (Bedroom)
skinhead IN A 192.168.1.121 ; Fire TV (Home Theater)
# cat /usr/local/etc/namedb/1.168.192.db
$TTL 3h
@ IN SOA griff.hillvalley. paulie.griff.hillvalley. (
2017122200
28800
3600
604800
38400
)
IN NS griff.hillvalley.
1 IN PTR delorean.hillvalley. ; Router (ASUS RT-N66U)
101 IN PTR biff.hillvalley. ; NFS Server (FreeBSD 11.1)
102 IN PTR griff.hillvalley. ; DNS Server (FreeBSD Jail)
103 IN PTR buford.hillvalley. ; LDAP Server (FreeBSD Jail)
104 IN PTR marty.hillvalley. ; Workstation (Paul)
105 IN PTR doc.hillvalley. ; MacBook Air (Paul Home)
106 IN PTR einstein.hillvalley. ; iPhone 7 (Paul)
107 IN PTR jennifer.hillvalley. ; Galaxy S7 (Audrey)
108 IN PTR lorraine.hillvalley. ; Lenovo Laptop (Audrey Home)
109 IN PTR goldie.hillvalley. ; Nest (Thermostat)
110 IN PTR clara.hillvalley. ; Fire TV (Home Theater)
111 IN PTR maggie.hillvalley. ; Boxee (Home Theater)
112 IN PTR marvin.hillvalley. ; Nest Protect (Upstairs)
113 IN PTR strickland.hillvalley. ; Fire TV (Bedroom)
114 IN PTR peabody.hillvalley. ; Fire TV Stick (Exercise Room)
115 IN PTR dave.hillvalley. ; Nest Protect (Basement)
116 IN PTR linda.hillvalley. ; Lenovo Laptop (Audrey Work)
117 IN PTR george.hillvalley. ; MacBook Pro (Paul Work)
118 IN PTR copernicus.hillvalley. ; Litter-Robot (Fibonacci)
119 IN PTR seamus.hillvalley. ; Echo Spot (Kitchen)
120 IN PTR match.hillvalley. ; Fire TV (Bedroom)
121 IN PTR skinhead.hillvalley. ; Fire TV (Home Theater)
# cat /usr/local/etc/namedb/100.168.192.db
$TTL 3h
@ IN SOA griff.hillvalley. paulie.griff.hillvalley. (
2013021744
28800
3600
604800
38400
)
IN NS griff.hillvalley.
1 IN PTR flux.hillvalley. ; Modem (Motorola SB6120)
# echo "named_enable=\"YES\" >> /etc/rc.conf
# echo "sshd_enable=\"YES\" >> /etc/rc.conf
# service named start
# service sshd start
# exit
OpenLDAP jail - buford
# ezjail-admin console buford
# passwd
# tzsetup
# sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
# sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/buford.my.domain buford/' /etc/hosts
# pkg install sudo
# pkg install bash
# pkg install openldap-server
# pkg install pam_ldap
# pkg install nss_ldap
# slappasswd -h '{SHA}'
# cat /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_mdb
moduleload back_ldap
database mdb
maxsize 1073741824
suffix "dc=buford,dc=hillvalley"
rootdn "cn=admin,dc=buford,dc=hillvalley"
rootpw secret
directory /var/db/openldap-data
index objectClass eq
# cat /usr/local/etc/openldap/hillvalley.ldif
dn: dc=buford,dc=hillvalley
objectClass: dcObject
objectClass: organization
o: bufford.hillvalley
dc: buford
dn: ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: groups
dn: ou=people,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: people
dn: cn=world,ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: posixGroup
cn: world
gidNumber: 1001
dn: uid=paulie,ou=people,dc=buford,dc=hillvalley
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: Johnson
cn: Paul Johnson
gecos: Paul Johnson
displayName: Paul Johnson
mail: paulie@pauliesworld.org
uid: paulie
uidNumber: 1001
gidNumber: 1001
homeDirectory: /paulie
loginShell: /usr/local/bin/bash
userPassword: secret
# cat /etc/rc.conf
sshd_enable="YES"
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
# service sshd start
# service slapd start
# ldapadd -x -W -H ldap://localhost -D cn=admin,dc=buford,dc=hillvalley -f /usr/local/etc/openldap/hillvalley.ldif
# exit
# cat /etc/pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown
account required pam_unix.so
session required pam_permit.so
password required pam_unix.so no_warn try_first_pass
# cat /etc/pam.d/system
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_login_access.so
account required pam_unix.so
session required pam_lastlog.so no_fail
password required pam_unix.so no_warn try_first_pass
# cat /usr/local/etc/ldap.conf
host 192.168.1.103
base dc=buford,dc=hillvalley
bind_timelimit 10
bind_policy hard
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 1
nss_reconnect_maxconntries 1
pam_login_attribute uid
# cat /etc/nsswitch.conf
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
# cp /etc/nsswitch.conf /usr/jails/griff/etc/nsswitch.conf
# cp /etc/pam.d/sshd /usr/jails/griff/etc/pam.d/sshd
# cp /etc/pam.d/system /usr/jails/griff/etc/pam.d/system
# cp /usr/local/etc/ldap.conf /usr/jails/griff/usr/local/etc/ldap.conf
# cp /etc/nsswitch.conf /usr/jails/buford/etc/nsswitch.conf
# cp /etc/pam.d/sshd /usr/jails/buford/etc/pam.d/sshd
# cp /etc/pam.d/system /usr/jails/buford/etc/pam.d/system
# cp /usr/local/etc/ldap.conf /usr/jails/buford/usr/local/etc/ldap.conf
13:10 PST - December 22, 2018