我在这方面花了很多时间,甚至成功验证了(Auth)Linux-LDAP-openLDAP ok。但是被AD挡住了。我现在可以从 root 帐户切换到用户,但无法使用密码登录(pam_unix(sshd:auth): 身份验证失败)。我将看看是否可以打开 pam 调试并在这里提出问题。我想在这里列出详细步骤以获取帮助。我不确定它与 userPassword (我已经将 dsHeuristics 设置为 000000001)或 unixUserPassword 属性有关,但我将继续调查。
Windows Server 2012 R2 (AD) 端:设置 AD DS。为 AD 启用 SSL。已安装UNIX 身份管理 将属性(uidNumber,gidNumber,unixHomeDirectory)添加到全局目录中图式。添加了几个用户(luser02,即绑定用户、luser03、luser04)和组(unixGrp2),分别设置了 posixAccount/posixGroup。为了验证它,我可以
ldapsearch
在目标 CentOS 6 中使用:ldapsearch -x -H ldap://114.116.43.118:389 -D "CN=luser02,CN=Users,DC=kelamayi,DC=com" -b "DC=kelamayi,DC=com" -W sAMAccountName=luser03
# extended LDIF # # LDAPv3 # base <DC=kelamayi,DC=com> with scope subtree # filter: sAMAccountName=luser03 # requesting: ALL # # luser03, Users, kelamayi.com dn: CN=luser03,CN=Users,DC=kelamayi,DC=com objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user cn: luser03 givenName: luser03 distinguishedName: CN=luser03,CN=Users,DC=kelamayi,DC=com instanceType: 4 whenCreated: 20180824095929.0Z whenChanged: 20180824103333.0Z displayName: luser03 uSNCreated: 24826 memberOf: CN=unigGrp2,DC=kelamayi,DC=com memberOf: CN=unixGrp,DC=kelamayi,DC=com uSNChanged: 24861 name: luser03 objectGUID:: Q/Bx5j48CEWikaDPlHoyRw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 131795783694428731 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA3G4iEdoCV++319XAWgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: luser03 sAMAccountType: 805306368 userPrincipalName: [email protected] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kelamayi,DC=com dSCorePropagationData: 16010101000000.0Z uidNumber: 20003 gidNumber: 20001 unixHomeDirectory: /home/luser03 loginShell: /bin/bash # search reference ref: ldap://ForestDnsZones.kelamayi.com/DC=ForestDnsZones,DC=kelamayi,DC=com # search reference ref: ldap://DomainDnsZones.kelamayi.com/DC=DomainDnsZones,DC=kelamayi,DC=com # search reference ref: ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3
我还可以使用 Java API 通过 ldaps 连接到 AD。效果
getent passwd
也很好。$ getent passwd luser03 luser03:*:20003:513:luser03:/home/luser03:/bin/bash $ getent passwd 20002 luser02:*:20002:513:luser02:/home/luser02:/bin/bash $ getent passwd 20003 luser03:*:20003:513:luser03:/home/luser03:/bin/bash
Linux(CentOS 6):我将在下面列出附件。
grep -v '^$\|^\s*\#' /etc/nslcd.conf
:binddn CN=luser02,CN=Users,DC=kelamayi,DC=com bindpw Passw0rd uid nslcd gid ldap uri ldap://114.116.43.118:389/ base dc=kelamayi,dc=com ssl no tls_cacertdir /etc/openldap/cacerts filter passwd (objectClass=user) filter group (objectClass=group) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID map group uniqueMember member
grep -v '^$\|^\s*\#' /etc/openldap/ldap.conf
:base dc=kelamayi,dc=com uri ldap://114.116.43.118:389/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
grep -v '^$\|^\s*\#' /etc/pam_ldap.conf
:base dc=kelamayi,dc=com uri ldap://114.116.43.118:389/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
grep -v '^$\|^\s*\#' /etc/pam.d/system-auth
:auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
grep -v '^$\|^\s*\#' /etc/pam.d/password-auth
:auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
grep -v '^$\|^\s*\#' /etc/nsswitch
:passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus
测试&调试:
ssh -v [email protected] nslcd -d tail -f -n /var/log/secure
ssh 日志:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received here pending for a while, about 10 seconds. debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Next authentication method: password [email protected]'s password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. [email protected]'s password:
的调试
nslcd
.我不知道为什么在输入密码之前日志中有“ldap_result() timed out”。 (这个性能问题已由 Stefan 解决。谢谢他!)nslcd: DEBUG: add_uri(ldap://114.116.43.118:389/) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts") nslcd: version 0.7.5 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(55) done nslcd: DEBUG: setuid(65) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=2856 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(luser03) nslcd: [8b4567] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))") nslcd: [8b4567] DEBUG: ldap_initialize(ldap://114.116.43.118:389/) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/") nslcd: [8b4567] DEBUG: rebinding to ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com") nslcd: [8b4567] ldap_result() timed out nslcd: [8b4567] DEBUG: ldap_abandon() nslcd: [8b4567] DEBUG: ldap_unbind() nslcd: [7b23c6] DEBUG: connection from pid=2856 uid=0 gid=0 nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(luser03) nslcd: [7b23c6] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))") nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://114.116.43.118:389/) nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc() nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/") nslcd: [7b23c6] DEBUG: ldap_result(): end of results nslcd: [3c9869] DEBUG: connection from pid=2856 uid=0 gid=0 nslcd: [3c9869] DEBUG: nslcd_passwd_byname(luser03) nslcd: [3c9869] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))") nslcd: [3c9869] DEBUG: ldap_initialize(ldap://114.116.43.118:389/) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/") nslcd: [3c9869] DEBUG: ldap_result(): end of results nslcd: [334873] DEBUG: connection from pid=2856 uid=0 gid=0 nslcd: [334873] DEBUG: nslcd_passwd_byname(luser03) nslcd: [334873] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))") nslcd: [334873] DEBUG: ldap_initialize(ldap://114.116.43.118:389/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/") nslcd: [334873] DEBUG: ldap_result(): end of results
/var/log/secure
:Aug 24 19:42:07 ecs-c191-0006 sshd[2856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.116.42.247 user=luser03
尝试通过以下方式启用 pam 调试打开 PAM 调试到 Syslog,但是我在构建时遇到了另一个错误:
patching file modules/pam_unix/pam_unix_passwd.c Hunk #1 succeeded at 233 (offset -7 lines). patching file modules/pam_unix/pam_unix.8.xml patching file modules/pam_unix/passverify.c Hunk #1 succeeded at 1088 (offset -7 lines). patching file modules/pam_unix/passverify.h patching file modules/pam_unix/support.c Hunk #1 FAILED at 495. 1 out of 1 hunk FAILED -- saving rejects to file modules/pam_unix/support.c.rej
答案1
getent passwd
首先,我建议在更改 PAM 配置之前测试连接。
使用您的配置,我还遭受了漫长的等待时间和偶尔的超时。我认为发生这种情况是因为您只定义base dc=kelamayi,dc=com
为搜索库而不是特定于地图的搜索库。
base [MAP] DN
Specifies the base distinguished name (DN) to use as search base. This option may
be supplied multiple times and all specified bases will be searched.
A global search base may be specified or a MAP-specific one. If no MAP-specific
search bases are defined the global ones are used.
因此,为了加快搜索速度并防止超时,您可以(并且可能应该)在中定义(至少)以下基础/etc/nslcd.conf
:
base passwd CN=Users,DC=kelamayi,DC=com
base group CN=unixGrp,DC=kelamayi,DC=com
base shadow CN=Users,DC=kelamayi,DC=com
也可以看看:https://arthurdejong.org/nss-pam-ldapd/setup有关使用 LDAP 设置 PAM 的更多信息。
更新(2020-03-20):了解了有关 PAM 和 LDAP 的更多信息后,问题可能是在咨询pam_unix.so
之前尝试对用户进行身份验证(通过 nss 设施) 。pam_ldap.so
顺序在 PAM 配置中很重要,因此pam_ldap.so
可能应该在之前,pam_unix.so
或者如果用户位于.我不知道为什么 nss-pam-ldapd 网站建议这个命令。切换到pam_localuser.so
pam_unix.so
/etc/passwd
固态硬盘也许是个好主意。