我正在将密封的 MSA 从使用 迁移pam_ldap到pam_sss(sssd-ldap)。但是,pam_sss 似乎在对没有 的用户进行身份验证时遇到了麻烦uidNumbers。我曾以为 ldap_user_object_class从更改posixAccount为top可以解决这个问题,但事实并非如此。具有 uidNumbers 的用户似乎没问题。虽然可以预料 sssd 需要 uidNumbers nss,但我不明白为什么 需要它们pam。
系统日志设施认证:
Aug 6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module)
# cat /etc/pam.d/smtp
#%PAM-1.0
auth sufficient pam_sss.so
account sufficient pam_sss.so
# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = example.com-ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com-ldap]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com, _srv_
ldap_user_object_class = top
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
$ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))"
dn: uid=non-posix-user
objectClass: organizationalRole
objectClass: inetLocalMailRecipient
objectClass: simpleSecurityObject
objectClass: uidObject
cn: non-posix-user
mailLocalAddress: [email protected]
mailRoutingAddress: [email protected]
mailHost: mailstore.example.com
roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com
roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com
userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K
uid: non-posix-user
答案1
目前,SSSD 仅处理系统用户,即具有 ID 的用户。ID 可以直接在 LDAP 中定义,也可以从 SID 派生。
抱歉,SSSD 目前不支持您的用例。