我正在尝试通过 LDAP 和 AD 设置登录。我可以进行用户 ID 和组查找(id我的用户)。例如,当我尝试通过 SSH 使用 AD/LDAP 帐户登录时,就会出现问题。
来自/var/log/auth.log:
May 18 14:12:24 ubuntu-server sshd[3658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=10.10.10.10 user=my_user
May 18 14:12:24 ubuntu-server sshd[3658]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10 user=my_user
May 18 14:12:24 ubuntu-server sshd[3658]: pam_sss(sshd:auth): received for user my_user: 6 (Permission denied)
May 18 14:12:24 ubuntu-server sshd[3658]: pam_ldap: error trying to bind as user "uid=my_user,**ou=People**,dc=domain,dc=com" (Invalid credentials)
我认为问题在于 pam 在 OU People 中查找用户。问题是,OU People 不存在。我如何将此 OU 更改为其他 OU?应该是 ou=user_ou,dc=domain,dc=com
我试图将 /etc/ldap.conf 中的基本参数从dc=域,dc=com到ou=用户_ou,dc=域,dc=com但它不起作用。
我正在运行 Ubuntu 16.04.2 LTS。
/etc/krb5.conf
[libdefaults]
default_realm = MY.DOMAIN.COM
clockskew = 300
[realms]
MY.DOMAIN.COM = {
kdc = MY.DOMAIN.COM
default_domain = MY.DOMAIN.COM
admin_server = MY.DOMAIN.COM
}
[domain_realm]
.MY.DOMAIN.COM = MY.DOMAIN.COM
[loggin]
kdc = FILE:/var/log/krb5/krb4kdc.log
admin_server = FILE/var/log/krb5/kadmin.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
se_shmem = sshd
clockskew = 300
}
/etc/ldap.conf
host ldap.domain.com
base dc=domain,dc=com
uri ldap://ldap.domain.com/
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_password md5
ssl no
/etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldap://ldap.domain.com BASE dc=domain,dc=com
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = default
services = nss, pam
[domain/default]
id_provider = ldap
ldap_uri = ldap://ldap.domain.com
ldap_id_use_start_tls = true
ldap_search_base = ou=user_ou,dc=my,dc=domain,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
auth_provider = krb5
chpass_provider = krb5
krb5_realm = MY.DOMAIN.COM
krb5_server = MY.DOMAIN.COM
krb5_kpasswd = MY.DOMAIN.COM
cache_credentials = true
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.foi.se
ldap_search_base = ou=user_ou,dc=my,dc=domain,dc=com
auth_provider = krb5
krb5_realm = MY.DOMAIN.COM
krb5_server = MY.DOMAIN.COM
cache_credentials = true
min_id = 5000
max_id = 25000
enumerate = false
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
protocols: files
services: files
ethers: files
rpc: files
netmasks: files
netgroup: nis
publickey: files
bootparms: files
automount: files ldap
aliases: files
sudoers: files sss