LDAP 配置问题

LDAP 配置问题

我正在尝试通过 LDAP 和 AD 设置登录。我可以进行用户 ID 和组查找(id我的用户)。例如,当我尝试通过 SSH 使用 AD/LDAP 帐户登录时,就会出现问题。

来自/var/log/auth.log:

May 18 14:12:24 ubuntu-server sshd[3658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=10.10.10.10 user=my_user

May 18 14:12:24 ubuntu-server sshd[3658]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10 user=my_user 

May 18 14:12:24 ubuntu-server sshd[3658]: pam_sss(sshd:auth): received for user my_user: 6 (Permission denied) 

May 18 14:12:24 ubuntu-server sshd[3658]: pam_ldap: error trying to bind as user "uid=my_user,**ou=People**,dc=domain,dc=com" (Invalid credentials)

我认为问题在于 pam 在 OU People 中查找用户。问题是,OU People 不存在。我如何将此 OU 更改为其他 OU?应该是 ou=user_ou,dc=domain,dc=com

我试图将 /etc/ldap.conf 中的基本参数从dc=域,dc=comou=用户_ou,dc=域,dc=com但它不起作用。

我正在运行 Ubuntu 16.04.2 LTS。

/etc/krb5.conf

[libdefaults]   
default_realm = MY.DOMAIN.COM   
clockskew = 300

[realms]

MY.DOMAIN.COM = {       
kdc = MY.DOMAIN.COM         
default_domain = MY.DOMAIN.COM      
admin_server = MY.DOMAIN.COM    
}

 [domain_realm]

.MY.DOMAIN.COM = MY.DOMAIN.COM

 [loggin]   
kdc = FILE:/var/log/krb5/krb4kdc.log    
admin_server = FILE/var/log/krb5/kadmin.log 
default = SYSLOG:NOTICE:DAEMON

[appdefaults]   
pam = {         
ticket_lifetime = 1d        
renew_lifetime = 1d
forwardable = true      
proxiable = false       
minimum_uid = 1         
external = sshd         
se_shmem = sshd         
clockskew = 300     
}

/etc/ldap.conf

host ldap.domain.com

base dc=domain,dc=com

uri ldap://ldap.domain.com/

ldap_version 3

timelimit 30

bind_timelimit 30

bind_policy soft

pam_password md5

ssl no

/etc/ldap/ldap.conf

TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

URI  ldap://ldap.domain.com BASE dc=domain,dc=com

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
domains = default
services = nss, pam

[domain/default]
id_provider = ldap
ldap_uri = ldap://ldap.domain.com
ldap_id_use_start_tls = true
ldap_search_base = ou=user_ou,dc=my,dc=domain,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts

auth_provider = krb5
chpass_provider = krb5
krb5_realm = MY.DOMAIN.COM
krb5_server = MY.DOMAIN.COM
krb5_kpasswd = MY.DOMAIN.COM
cache_credentials = true

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.foi.se
ldap_search_base = ou=user_ou,dc=my,dc=domain,dc=com

auth_provider = krb5
krb5_realm = MY.DOMAIN.COM
krb5_server = MY.DOMAIN.COM
cache_credentials = true

min_id = 5000
max_id = 25000
enumerate = false

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap
gshadow:    files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files dns

protocols:      files
services:       files
ethers:         files
rpc:            files
netmasks:   files
netgroup: nis
publickey:  files

bootparms:  files
automount:  files ldap
aliases:    files

sudoers:    files sss

相关内容