强制 OpenLDAP 连接使用 STARTTLS 不允许用户登录

tag-icon tag-icon linux ubuntu ssh ldap openldap
强制 OpenLDAP 连接使用 STARTTLS 不允许用户登录

我有一个基本的OpenLDAP 服务器Ubuntu 16.04LTS可以完美地验证用户身份,但我真的想让它更安全,所以我决定使用 STARTTLS 和如何使用 STARTTLS 加密 OpenLDAP 连接教程帮助实现这一切。一切都很顺利,直到这一点,如下图所示:

导致我无法登录客户端的部分

在我按照上图所示操作后,ssh {user-on-openldap-server@localhost}它给了我一条错误信息:

Permission denied, please try again.
Permission denied (publickey,password).

笔记:在这种情况下,localhost 是我使用它的客户端机器如何在 Ubuntu 12.04 VPS 上使用 LDAP 对客户端计算机进行身份验证教程进行设置。

PS 有一条评论如何使用 STARTTLS 加密 OpenLDAP 连接教程我曾经在 OpenLDAP 上设置过 STARTTLS,其中用户似乎遇到了与我同样的问题,但他的评论没有答案,所以我希望他的评论能得到更多的关注,同时也能帮助我。 在此处输入图片描述

当我跑步的时候ldapsearch -H ldap://my-ip -x -b "dc=example,dc=com" -LLL -Z -d1 dn

以下是该命令的输出:

ldap_url_parse_ext(ldap://my-ip)
ldap_create
ldap_url_parse_ext(ldap://my-ip:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my-ip:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 108.75.66.244:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid 1
wait4msg ld 0x55f5ab064a60 msgid 1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid 1 all 1
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid 1 all 1
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg:  mark request completed, ld 0x55f5ab064a60 msgid 1
request done: ld 0x55f5ab064a60 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid 2
wait4msg ld 0x55f5ab064a60 msgid 2 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid 2 all 1
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid 2 all 1
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg:  mark request completed, ld 0x55f5ab064a60 msgid 2
request done: ld 0x55f5ab064a60 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 60 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 26 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 35 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=admin,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 35 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 45 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=admin,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 43 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=irc,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 44 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=user,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 47 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=ftp-alex,ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry

ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=ftp-spencer,ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 18 23:57:55 2016


** ld 0x55f5ab064a60 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
   Empty
  ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg:  mark request completed, ld 0x55f5ab064a60 msgid 3
request done: ld 0x55f5ab064a60 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed

提前致谢,亚历克斯

答案1

这是一个非常简单的修复,我只需libpam-ldapd在客户端安装,而不是libpam-ldap在客户端安装。一旦我运行它,它就会给我使用选项starttls

相关内容