我有一个新的 ldap 设置,并且我正在尝试登录,无论是登录到机器的目录还是通过 SSH 远程登录。
当我尝试实际登录时,我的身份验证失败。
如果我以本地用户 (root) 登录,则成功。登录后,我可以轻松发出 su user 并切换到该用户。
运行 getent passwd 将返回所有有效用户。
有什么帮助吗?
日志显示:
Apr 10 11:50:00 ldaptest login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=user
Apr 10 11:50:00 ldaptest login: pam_ldap: error trying to bind (No such object)
Apr 10 11:50:03 ldaptest login: FAILED LOGIN 1 FROM (null) FOR user, Authentication failure
谢谢!
[root@ldaptest ~]# cat /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
sudoers: ldap
和
[root@ldaptest ~]# cat /etc/pam_ldap.conf
base dc=ops,dc=rm
rootbinddn cn=Directory Manager,dc=ops,dc=rm
uri ldaps://10.0.32.75
ssl no
TLS_REQCERT allow
tls_cacertdir /etc/openldap/cacerts
pam_password md5
suoders_base ou=Sudoers,dc=ops,dc=rm
和
[root@ldaptest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
和
[root@ldaptest ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so
最后……
[root@ldaptest ~]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so
答案1
required pam_deny.so
必须是每个部分的最后一行。