updated for FreeBSD 12.2

jails/config/atm/afp.conf

@@ -1,32 +1,63 @@
 ;
 ; Netatalk 3.x configuration file
-;
+; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
 
 [Global]
 ; Global server settings
 hostname = atm
-hosts allow = 192.168.0.0/24,192.168.100.0/24
-afp listen = 0.0.0.0
+afp listen = ::
+mimic model = TimeCapsule6,106
+uam list = uams_guest.so uams_dhx2_passwd.so
+; locate uam # show all the uam modules
+
+force xattr with sticky bit = yes
+
 zeroconf = yes
+afpstats = yes
+
+ldap auth method = simple
+;ldap auth dn = cn=admin,dc=infra
+;ldap auth pw = notrequired
+ldap server = ldap.ahlawat.com
+
+ldap name attr = cn
+ldap userbase = ou=people,dc=infra
+ldap userscope = one
+ldap uuid attr = uidNumber
+
+ldap group attr = cn
+ldap groupbase = ou=group,dc=infra
+ldap groupscope = one
+;ldap uuid attr = gidNumber #this is used both for users and groups.
+
+; You can comment these 2 lines when your setup is working
+;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
+log file = /var/log/afpd.log
+
+[default_for_all_vol]
+cnid scheme = dbd
+appledouble = ea
+ea = ad
 
 ; [Homes]
 ; basedir regex = /xxxx
 
-; [My AFP Volume]
-; path = /path/to/volume
-
-[Sharad Time Machine Volume]
+[Sharad]
 path = /mnt/sharad
+valid users = sharad
 time machine = yes
 
-[Rachna Time Machine Volume]
+[Rachna]
 path = /mnt/rachna
+valid users = rachna
 time machine = yes
 
-[Nivi Time Machine Volume]
+[Nivi]
 path = /mnt/nivi
+valid users = nivi
 time machine = yes
 
-[Rishabh Time Machine Volume]
+[Rishabh]
 path = /mnt/rishabh
+valid users = rishabh
 time machine = yes

jails/config/atm/afpd.service

@@ -0,0 +1,14 @@
+<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+<service-group>
+    <name replace-wildcards="yes">%h</name>
+    <service>
+        <type>_afpovertcp._tcp</type>
+        <port>548</port>
+    </service>
+    <service>
+        <type>_device-info._tcp</type>
+        <port>0</port>
+        <txt-record>model=Xserve</txt-record>
+    </service>
+</service-group>

jails/config/atm/ldap.conf

@@ -0,0 +1,15 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	ou=people,dc=infra
+URI	ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never

jails/config/atm/netatalk

@@ -0,0 +1,3 @@
+auth    required        /usr/local/lib/pam_ldap.so     try_first_pass
+account required        /usr/local/lib/pam_ldap.so     try_first_pass
+session required        /usr/local/lib/pam_ldap.so

jails/config/atm/nslcd.conf

@@ -0,0 +1,142 @@
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri ldaps://ldap.ahlawat.com:636
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base ou=people,dc=infra
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+scope one
+#scope base
+
+# Customize certain database lookups.
+#base   group  ou=Groups,dc=example,dc=com
+#base   passwd ou=People,dc=example,dc=com
+#base   shadow ou=People,dc=example,dc=com
+#scope  group  onelevel
+#scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+tls_cacertdir /mnt/certs
+tls_cacertfile /mnt/certs/cacert.pem
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFU30Name
+#map    passwd userPassword     msSFU30Password
+#map    passwd homeDirectory    msSFU30HomeDirectory
+#map    passwd homeDirectory    msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFU30Name
+#map    shadow userPassword     msSFU30Password
+#filter group  (objectClass=Group)
+#map    group  member           msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFUName
+#map    passwd userPassword     msSFUPassword
+#map    passwd homeDirectory    msSFUHomeDirectory
+#map    passwd gecos            msSFUName
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFUName
+#map    shadow userPassword     msSFUPassword
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=Group)
+#map    group  member           posixMember
+
+# Mappings for Active Directory
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    passwd uid              sAMAccountName
+#map    passwd homeDirectory    unixHomeDirectory
+#map    passwd gecos            displayName
+#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    shadow uid              sAMAccountName
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=group)
+
+# Alternative mappings for Active Directory
+# (replace the SIDs in the objectSid mappings with the value for your domain)
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
+#map    passwd uid           cn
+#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd homeDirectory "/home/$cn"
+#map    passwd gecos         displayName
+#map    passwd loginShell    "/bin/bash"
+#filter group (|(objectClass=group)(objectClass=person))
+#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map    passwd uid              userName
+#map    passwd userPassword     passwordChar
+#map    passwd uidNumber        uid
+#map    passwd gidNumber        gid
+#filter group  (objectClass=aixAccessGroup)
+#map    group  cn               groupName
+#map    group  gidNumber        gid

jails/config/atm/nsswitch.conf

@@ -0,0 +1,18 @@
+#
+# nsswitch.conf(5) - name service switch configuration file
+# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
+#
+#group: compat
+group: files ldap
+group_compat: nis
+hosts: files dns
+netgroup: compat
+networks: files
+#passwd: compat
+passwd: files ldap
+passwd_compat: nis
+shells: files
+services: compat
+services_compat: nis
+protocols: files
+rpc: files

jails/config/atm/pam_ldap.conf

@@ -0,0 +1,17 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	ou=people,dc=infra
+URI	ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+pam_login_attribute cn
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never

jails/config/atm/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/atm/sshd

@@ -0,0 +1,28 @@
+#
+# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+auth        sufficient  /usr/local/lib/pam_ldap.so  no_warn
+auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+account		required	pam_nologin.so
+#account	required	pam_krb5.so
+account		required	pam_login_access.so
+account     required    /usr/local/lib/pam_ldap.so  no_warn ignore_authinfo_unavail ignore_unknown_user
+account		required	pam_unix.so
+
+# session
+#session	optional	pam_ssh.so		want_agent
+session		required	pam_permit.so
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass