In my homelab, I run an OpenLDAP server and services on the localhost use that to manage access and permissions related to network filesystems (e.g. NFSv4 and samba). I've previously done this by setting up slapd and running pam_ldap and nss_ldap as per FreeBSD docs. However, the boot time of my server had long sufferred due to slapd trying to run itself as user ldap:ldap which nss_ldap was attempting to find, would fail, and timeout after 5 minutes.
Recently I have found out about nss-pam-ldapd which tries to improve upon both nss_ldap and pam_ldap. I've found configuring nss-pam-ldapd to be much more robust in its response and I don't have to worry about timeouts and caches anymore.
As a bonus, the 4 minutes timeout that I used to get when starting one of the jails which depended on ldap on startup is gone too!
nss-pam-ldapd has fantastic documentation, and I followed it carefully to setup my /usr/local/etc/nslcd.conf file, paying special attention to bind_timelimit, timelimit, and reconnect_retrytime (see nslcd.conf(5) manpage).
uid nslcd
gid nslcd
uri ldap://topoli.home.lan/
ldap_version 3
base dc=home,dc=lan
#binddn cn=root,dc=home,dc=lan
#bindpw secret
bind_timelimit 3
timelimit 5
reconnect_retrytime 5
nss_initgroups_ignoreusers ALLLOCAL
Then setting up /etc/pam.d/system like so.
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000
auth required pam_unix.so no_warn try_first_pass nullok
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000
account required pam_unix.so
session required pam_lastlog.so no_fail
password required pam_unix.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000
I have set the minimum uid to 10000 to reflect my slapd config.
To round it all out, here's my /usr/local/etc/slapd.conf.
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_mdb
database mdb
maxsize 1073741824
suffix "dc=home,dc=lan"
rootdn "cn=root,dc=home,dc=lan"
rootpw secret
directory /var/db/openldap-data
index objectClass eq
index cn,uid,memberUid,uniqueMember,gidNumber pres,eq
logfile /var/log/slapd.log
loglevel none
Make sure to set your own access directives and mind the root user and password. When setting things up, I recommend starting with no access controls and adding them later.
Also my /usr/local/etc/openldap/ldap.conf.
BASE dc=home,dc=lan
URI ldap://topoli.home.lan
To find out what each line means, see slapd.conf(5) and ldap.conf(5).