我们已启用 pam_access,并根据现有规则正确允许/拒绝用户。其中一条规则查找 LDAP 支持的 NIS 组
+ : @hostname-granted : ALL
将元组放入 LDAP 中用于用户名
(,test_user,)
意思是“test_user”将被授予访问主机的权限。
nisNetgroups 还支持嵌套网络组的 memberNisNetgroup。这也有效,并将在子组中查找用户。
我们遇到的问题是,如果我们指定另一个由 ldap 支持的 posixGroup,查找将无法找到任何用户,因为他们正在寻找网络组但找不到该组。
我们正在使用 sssd,这些是从中查找的调试日志
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=hostname-denied,ou=host access policy,ou=Groups,dc=demonware,dc=net] to attributes of [hostname-denied]
.
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding netgroup triple [(,test_user,)] to attributes of [hostname-denied].
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original members [test_group] to attributes of [hostname-denied].
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding members [test_group] to attributes of [hostname-denied].
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_save_netgroup] (0x0400): Storing info for netgroup hostname-denied
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_netgroups_next_base] (0x0400): Searching for netgroups with base [dc=example,dc=com]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.2
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=test_group)(objectclass=nisNetgroup))][dc=example,dc=com].
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberNisNetgroup]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nisNetgroupTriple]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x2245480], connected[1], ops[0x2251ca0], ldap[0x22683f0]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 2 11:42:08 2015) [sssd[be[LDAP]]] [sdap_get_netgroups_process] (0x0400): Search for netgroups, returned 0 results.
当 nisNetGroup 中设置了 posix 组时,是否有任何方法可以让 pam_access 查找 posix 组中的用户?我知道我可以将 posix 组直接添加到 pam_access 引用文件中,但这不是一个可行的选择。