Solaris ldap 身份验证

tag-icon tag-icon solaris ldap pam
Solaris ldap 身份验证

我一直在尝试让我的 Solaris 10 服务器针对 eDir 服务器进行身份验证,但遇到了麻烦。我设法设置了我的 linux(RHeL、SLES)服务器以针对 ldap 服务器进行身份验证,一切正常。

这是我的配置文件。

ldapclient 列表:

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyuser,o=AEDev
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c22222233
NS_LDAP_SERVERS= 192.168.0.19
NS_LDAP_SEARCH_BASEDN= ou=auth,o=AEDev
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,ou=auth,o=AEDev
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=users,ou=auth,o=AEDev?sub?objectClass=shadowAccount
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=auth,o=AEDev?sub?objectClass=posixAccount
NS_LDAP_BIND_TIME= 10
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple

getent passwd 工作正常:

root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
tlla:x:2012:100::/home/tlla:
test:x:2011:100::/home/test:
thato:x:2010:100::/home/thato:

配置文件

login auth sufficient pam_unix_auth.so.1 #server_policy
login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1

rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth sufficient pam_unix_auth.so.1 #server_policy
rsh auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

passwd auth required pam_passwd_auth.so.1
passwd auth sufficient pam_unix_auth.so.1

ssh account sufficient pam_unix.so.1
ssh account sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
other password sufficient pam_unix.so.1
other password sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass

本地身份验证有效,但 LDAP 身份验证无效。

答案1

大家好,感谢你们的回复。

我发现了在完成将 Solaris 10 验证到 LDAP 服务器的任务中缺少什么。

在查看了 jlliagre 指出的日志文件后,我在身份验证期间在目录服务器上拾取了此条目。

 Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13

这让我想到了这个禁用简单绑定选项

禁用“需要使用密码进行 TLS 简单绑定”后

客户端上的 LDAP 身份验证已完成。

相关内容