我配置了CentOs 7 上的 LDAP现在我正在尝试配置外部用户身份验证。浏览时我发现了这个:https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-pam.html这是针对 CentOS 5 的。
其他网站也表示你可以访问供测试用内容如下:
ssh my_LDAP_user@LDAP_hostname_or_IP:389
但对我来说不起作用。 CentOS 向我抛出了一个错误:
ssh: Could not resolve hostname hostname:389: Name or service not known
当我尝试不使用 389 时,会出现“权限被拒绝”的情况,并且我输入了正确的密码:
[root@localhost openldap]# ssh lolo@hostname
lolo@hostname's password:
Permission denied, please try again.
你知道吗任何提示或指导从这个洞里挪动一点?提前谢谢!
编辑:
这个想法是从外部登录到 LDAP。我必须检查一切是否顺利。你能为我提供一些指导吗?
nslcd 服务日志:
gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> failed to bind to LDAP server ldap://ldap.192.168.150.105:389/: Can't contact LDAP server
gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> no available LDAP server found: Can't contact LDAP server
authconfig——测试:
[root@localhost openldap]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://192.168.150.105/"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = "#"
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://192.168.150.105/"
LDAP base DN = "dc=example,dc=com"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
主要问题可能出Authenticate system accounts against network services is disabled在最后一行authconfig --test吗?在一些教程中它出现了但不是一个问题 :-/
答案1
给您一些建议:
- 禁用 selinux 并重新启动
# vi /etc/selinux/config selinux=disabled
- 停止 iptables
# systemctl stop iptables.service
- 您是否已创建一个 ldap 用户?(尝试以下指南http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=2)
- 编辑ssh 配置文件
PermitRootLogin yes UsePAM yes
- 检查日志/var/log/安全
答案2
我遇到了和你一样的问题,当我读到你的帖子时,我不知道该如何解决,但现在我解决了我的问题。这是我的解决方案:
nss-pam-ldapd如果之前没有安装,请安装:
[root@www ~]# yum -y install nss-pam-ldapd
禁用selinux并重新启动:
[root@ldap ~]# vi /etc/selinux/config
更改此行:selinux=disabled
执行authconfig:
#ldapserver=(LDAP server's hostname or IP address)
#ldapbasedn="dc=(your own domain name)"
[root@ldap ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=my.domain.world \
--ldapbasedn="dc=my,dc=domain,dc=world" \
--enablemkhomedir \
--update
getsebool: SELinux is disabled
如果您对 LDAP 使用 TLS,请不要忘记执行此操作:
[root@ldap ~]# authconfig --enableldaptls --update
getsebool: SELinux is disabled
也许我的解决方案也可以成为您的解决方案。:D