我需要根据用户的 LDAP 组成员身份限制对主机的 ssh 访问。我想使用 sssd 的 ldap_access_filter 功能来实现这一点。这是我的 sssd.conf 文件:
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
debug_level = 5
ldap_tls_reqcert = never
auth_provider = ldap
access_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=edurp,dc=com
ldap_group_member = uniquemember
#id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://ldap0.la01.edurp.com/,ldaps://ldap1.la01.edurp.com/
ldap_chpass_uri = ldaps://ldap0.edurp.com/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(object)(object))
krb5_realm = EXAMPLE.COM
krb5_kdcip = kerberos.example.com
ldap_access_filter = (|(memberOf=cn=datateam,ou=group,dc=edurp,dc=com)(memberOf=cn=ctmtest,ou=group,dc=edurp,d c=com)(memberOf=cn=syseng,ou=group,dc=edurp,dc=com))
我的 nsswitch.conf 文件如下所示:
passwd: files sss
shadow: files sss
passwd_compat: sss
shadow_compat: sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: sss files
publickey: nisplus
automount: files ldap
aliases: files nisplus
所以我在 /var/log/sssd/ 中看到的错误消息
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [6][default]
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [6][default]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bobdog]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): user: bobdog
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.65.6.65
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 48404
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0100): User [bobdog] was not found with the specified filter. Denying access.
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [6][default]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [6][default]
在 /var/log/secure 中我看到:
Jun 25 12:29:37 vmtest0 sshd[48404]: pam_sss(sshd:account): Access denied for user bobdog: 6 (Permission denied)
Jun 25 12:29:37 vmtest0 sshd[48405]: fatal: Access denied for user bobdog by PAM account configuration
我被要求在该项目的客户机上使用 Oracle 6.5 Linux 和 openldap。ldap 服务器运行 dsee7。
谢谢您的任何建议。
答案1
如果没有 ,则id_provider sssd无法执行其任何nsswitch角色。所有sss用户和组解析都将失败。您可以使用 来查看此信息getent passwd bobdog。
我注意到你有两个不同的ldap_access_filter。虽然第一个看起来很糟糕,但它的最后一个值获胜,所以这更像是一个整洁问题。
ldap_access_filter = (&(object)(object))
ldap_access_filter = (|(memberOf=cn=datateam,ou=group,dc=edurp,dc=com)(memberOf=cn=ctmtest,ou=group,dc=edurp,dc=com)(memberOf=cn=syseng,ou=group,dc=edurp,dc=com))
此外,我不知道它是否dsee7支持memberof,但我怀疑它支持。值得再三检查。memberof通常是一个操作属性,因此您必须明确要求它ldapsearch -H ldaps://ldap0.la01.edurp.com/ -b dc=edurp,dc=com uid=bobdog memberof。。
通常,使用这种方法SRV RRs比使用显式主机更好。您已经依赖这种方法DNS进行名称解析了。
如果您有 kerberos KDC,您可能希望用作krb5您的auth_provider并使用sshd来AllowGroups限制访问。GSSAPI有时很方便。
允许群组
此关键字后面可以跟一组组名模式列表,以空格分隔。如果指定,则仅允许主组或补充组列表与其中一个模式匹配的用户登录。只有组名有效;数字组 ID 不被识别。默认情况下,允许所有组登录。允许/拒绝指令按以下顺序处理:拒绝用户,允许用户,拒绝群组,最后允许群组。
看图案在 ssh_config(5) 中获取有关模式的更多信息。