嘿伙计们,我在 stackexchange 上搜索了一下,但无法找到解决我的问题的帮助。
我正在尝试在 centos 7 客户端上集成 LDAP 身份验证,但无法使其工作,我也不知道原因。以下是一些信息
我已正确安装 centos 7
进入/etc/sysconfig/authconfig并改变
FORCELEGACY=no
到
FORCELEGACY=yes
因此 authconfig 不使用 SSSD,因为我不会在我的连接中使用 TSL/SSL,据我所知这是使用 SSSD 的要求。
然后我跑去authconfig-tui填充/etc/openldap/ldap.conf
SASL_NOCANON on
URI ldap://172.16.0.5:390
BASE dc=mosek,dc=zentyal
现在我进去/etc/nslcd.confg手动填充
uid nslcd
gid ldap
uri ldap://172.16.0.5:390
ldap_version 3
base dc=mosek,dc=zentyal
binddn cn=zentyalro,dc=mosek,dc=zentyal
bindpw secret
scope sub
base group ou=Groups,dc=mosek,dc=zentyal
base passwd ou=Users,dc=mosek,dc=zentyal
base shadow ou=Users,dc=mosek,dc=zentyal
ssl no
我再次运行 authconfig-tui 以确保 nslcd 已获取新配置
我检查了我的/etc/nsswitch.conf配置是否正确:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
然后我尝试登录,但系统不允许我登录。因此我检查了一下/var/log/messeges,发现:
Nov 27 12:48:01 localhost systemd: Starting Naming services LDAP client daemon....
Nov 27 12:48:01 localhost systemd: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Nov 27 12:48:01 localhost nslcd[10991]: version 0.8.13 starting
Nov 27 12:48:01 localhost nslcd[10991]: accepting connections
Nov 27 12:48:01 localhost systemd: Started Naming services LDAP client daemon..
Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [3c9869] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [334873] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [b0dc51] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [e8944a] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [5558ec] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [8e1f29] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
我的/var/log/secure样子是这样的:
Nov 27 12:37:34 localhost sshd[10926]: Invalid user tomas from 172.16.0.179
Nov 27 12:37:34 localhost sshd[10926]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:37:41 localhost sshd[10926]: Failed password for invalid user tomas from 172.16.0.179 port 37863 ssh2
Nov 27 12:37:44 localhost sshd[10926]: Connection closed by 172.16.0.179 [preauth]
Nov 27 12:52:23 localhost sshd[11004]: Invalid user tomas from 172.16.0.179
Nov 27 12:52:23 localhost sshd[11004]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:52:28 localhost sshd[11004]: Failed password for invalid user tomas from 172.16.0.179 port 38262 ssh2
Nov 27 12:52:30 localhost sshd[11004]: Connection closed by 172.16.0.179 [preauth]
Nov 27 12:53:59 localhost sshd[11014]: Invalid user tomas from 172.16.0.179
Nov 27 12:53:59 localhost sshd[11014]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:54:04 localhost sshd[11014]: Failed password for invalid user tomas from 172.16.0.179 port 38274 ssh2
Nov 27 12:54:06 localhost sshd[11014]: Connection closed by 172.16.0.179 [preauth]
Nov 27 13:18:38 localhost unix_chkpwd[11120]: check pass; user unknown
Nov 27 13:18:38 localhost unix_chkpwd[11120]: password check failed for user (tomas)
Nov 27 13:18:38 localhost sshd[11118]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas
Nov 27 13:18:38 localhost unix_chkpwd[11121]: could not obtain user info (tomas)
Nov 27 13:18:38 localhost sshd[11118]: Failed password for tomas from 172.16.0.179 port 38466 ssh2
Nov 27 13:18:38 localhost sshd[11118]: fatal: Access denied for user tomas by PAM account configuration [preauth]
Nov 27 13:22:09 localhost unix_chkpwd[11143]: check pass; user unknown
Nov 27 13:22:09 localhost unix_chkpwd[11143]: password check failed for user (tomas)
Nov 27 13:22:09 localhost sshd[11141]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas
Nov 27 13:22:09 localhost unix_chkpwd[11144]: could not obtain user info (tomas)
Nov 27 13:22:09 localhost sshd[11141]: Failed password for tomas from 172.16.0.179 port 38501 ssh2
Nov 27 13:22:09 localhost sshd[11141]: fatal: Access denied for user tomas by PAM account configuration [preauth]
我觉得这很奇怪,因为我有一个 Ubuntu 客户端,可以很好地连接到该地址:172.16.0.5:390
我尝试nslcd在调试模式下运行,然后尝试再次登录,但我简直疯了,当我尝试登录时:
$ ssh tomas@centosy
tomas@centosy's password:
Connection closed by 172.16.0.188
nslcd: [8b4567] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [8b4567] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [8b4567] <passwd="tomas"> (re)loading /etc/nsswitch.conf
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Groups,dc=mosek,dc=zentyal", filter="(&(objectClass=posixGroup)(|(memberUid=tomas)(member=uid=tomas,ou=Users,dc=mosek,dc=zentyal)))")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=__USERS__,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=Domain Admins,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=staff,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=admins,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): end of results (4 total)
nslcd: [3c9869] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [3c9869] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [334873] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b0dc51] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [b0dc51] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [495cff] <authc="tomas"> DEBUG: nslcd_pam_authc("tomas","sshd","***")
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="uid=tomas,ou=Users,dc=mosek,dc=zentyal", filter="(objectClass=*)")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("uid=tomas,ou=Users,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_unbind()
nslcd: [495cff] <authc="tomas"> DEBUG: bind successful
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [e8944a] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [e8944a] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5558ec] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [5558ec] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [8e1f29] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [8e1f29] <authz="tomas"> DEBUG: nslcd_pam_authz("tomas","sshd","","harbinger.mosek.zentyal","ssh")
nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
它和 nslcd 一样,只能在调试模式下连接 ldap 服务器。当我尝试启动 nslcd 时,它失败了,因为它无法连接服务器,但正如您所见,当它处于调试模式时,它可以正常连接。
可能出了什么问题?
答案1
这就是我们在自己的盒子上所做的,因此请注意,它可能不适用于您的设置。
一些注意事项:
ldap_tls_cacert我们的服务器有一个有效的 CA 签名证书,如果您的服务器有一个自签名证书(无论如何这都是不好的 (tm)),请务必进行修改。我们使用 LDAP 来提供 sudo 规则,如果您不需要它,可以将其省略。
您可能还想设置
ldap_group_search_base和ldap_search_base,以将 的搜索限制sssd为仅有效用户/组。 也同样如此ldap_sudo_search_base。确保设置
ldap_user_member_of为与用户端的目录服务器的组成员身份属性相匹配。(适用groupmembership于 eDirectory)确保设置
ldap_access_filter为限制对您系统的访问。否则所有有效用户都可以登录到您的系统。在查找登录过程的
sssd某一侧的错误之前,请检查用户的 LDAP 数据。PAM确保已
/etc/sssd/sssd.conf设置权限0600。
在我们的例子中,我的用户为 LDAP 登录设置了以下属性:
objectClass: posixAccount
groupMembership: cn=group1,...
groupMembership: cn=group2,...
uid: fuero
uidNumber: 10000
gidNumber: 19999
homeDirectory: /home/fuero
/etc/sssd/sssd.conf
[domain/default]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://your.ldap-server.tld:636
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=your-bind-user
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = your_password_hash
ldap_schema = rfc2307bis
cache_credentials = false
enumerate = false
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
设置nsswitch.conf使用方法sssd:
# grep sss /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
sudoers: files sss
核实:
# id fuero
uid=100000(fuero) gid=19999(users) groups=20000(group1),20000(group2)
设置PAM /etc/pam.d/system-auth-ac:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
**auth sufficient pam_sss.so use_first_pass**
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
**account [default=bad success=ok user_unknown=ignore] pam_sss.so**
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
**session optional pam_sss.so
session required pam_mkhomedir.so umask=0077**
答案2
罪魁祸首似乎是 systemd。尝试自己运行 nslcd 就会发现它有效。
当您使用 systemctl 启动 nslcd 时,它会在您尝试查询 nslcd 时生成一个新进程。在消息中我看到:
Dec 3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> problem closing server socket (ignored): Bad file descriptor
Dec 3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> version 0.8.13 bailing out
我还不明白根本原因,但 systemctl 与此有关。
我有另一个在该系统之前设置并且正在运行的系统,systemctl 是 systemd-208-11.el7_0.2.x86_64,而新的无法运行的系统是 systemd-208-11.el7_0.4.x86_64。
答案3
我解决了这个问题
我刚刚进入/etc/selinux/config并通过设置 禁用了 selinuxSELINUX=disabled
我快速重启了一下,就可以登录了,没问题