升级到 CentOS 6.4 (sssd) 后 LDAP 身份验证被破坏

tag-icon tag-icon linux centos ldap
升级到 CentOS 6.4 (sssd) 后 LDAP 身份验证被破坏

我有 OpenLDAP 服务器:

@(#) $OpenLDAP: slapd 2.4.23 (Aug  8 2012 16:29:21)

在我的配置中有组:

ldapsearch -x -b 'cn=groupname,ou=UnixShell,ou=Services,o=example,c=ru'
# extended LDIF
#
# LDAPv3
# base <cn=groupname,ou=UnixShell,ou=Services,o=example,c=ru> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# groupname, UnixShell, Services, example, ru
dn: cn=groupname,ou=UnixShell,ou=Services,o=example,c=ru
cn: groupname
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=Name Second,ou=Sysadmins,ou=SoftwareDevelopment,ou=IT,ou=Accounts,o=example,c=ru

# search result
search: 2
result: 0 Success

和用户

# ldapsearch -x -b 'cn=Name Second,ou=Sysadmins,ou=SoftwareDevelopment,ou=IT,ou=Accounts,o=example,c=ru'
# extended LDIF
#
# LDAPv3
# base <cn=Name Second,ou=Sysadmins,ou=SoftwareDevelopment,ou=IT,ou=Accounts,o=example,c=ru> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Name Second, Sysadmins, SoftwareDevelopment, IT, Accounts, example, ru
dn: cn=Name Second,ou=Sysadmins,ou=SoftwareDevelopment,ou=IT,ou=Accounts,o=
 example,c=ru
homeDirectory: /home/user
loginShell: /bin/bash
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15361
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
uid: user
uidNumber: 7000
cn: Name Second
gidNumber: 702

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

很长一段时间我在客户端服务器(CentOS 6.*)上使用 LDAP 身份验证,但有一次升级到 6.4 分支时,我的配置被破坏了。因为现在系统默认使用SSSD。

在 pam_ldap 中

pam_groupdn cn=groupname,ou=UnixShell,ou=Services,o=example,c=ru
pam_member_attribute uniquemember

但现在在 sssd.conf 中过滤器不起作用

access_provider = ldap
ldap_access_filter = memberOf=cn=groupname,ou=UnixShell,ou=Services,o=example,c=ru

我究竟做错了什么?当我通过 ssh 登录时找不到我的记录。在本地“su - user”工作。

sssd 日志错误

(Thu Mar 28 12:44:43 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0100): User [user] was not found with the specified filter. Denying access.

我用它来设置:

authconfig --enablemkhomedir --updateall --enablesssd --enablesssdauth --enableldap --enableldapauth --disablenis --disablekrb5 --disablecachecreds --disablecache  --ldaploadcacert=$certurl"

CentOS 版本 6.4(最终版)

!!!不要手动更改任何内容,仅更改系统实用程序!

# cat /etc/sssd/sssd.conf 
[domain/default]

ldap_uri = ldaps://ldap02.example.ru
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_id_use_start_tls = True
cache_credentials = False

ldap_search_base = o=example,c=ru
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

access_provider = ldap
ldap_access_filter = uniqueMember=cn=grouname,ou=UnixShell,ou=Services,o=example,c=ru

debug_level = 255
auth_provider = ldap
chpass_provider = ldap
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

答案1

我被这个问题困扰了很长时间。看起来,对于 CentOS6,他们将配置文件从 更改/etc/openldap/ldap.conf/etc/pam_ldap.conf.pam_groupdn如果您将信息放在那里,就会起作用。

$ cp /etc/openldap/ldap.conf /etc/pam_ldap.conf

或者您可以在两者之间创建一个符号链接。

相关内容