SLES12,使用 PAM 和 LDAP 进行身份验证

tag-icon tag-icon ssh ldap pam sles
SLES12,使用 PAM 和 LDAP 进行身份验证

我想设置一个可以针对 ldap 服务器进行身份验证的 ssh 服务器。ldap 服务器已在运行(openldap)。现在我安装了全新的 SLES12SP1 服务器,并按照一些教程设置了 pam 模块,但 sles 很少使用。

我的安装步骤是:
-安装“pam_ldap”和“nss_ldap”
-修改文件“/etc/ldap.conf”,设置ldap-server和search-base

 host XXX.XX.XX.XX
 base dc=XXXX,dc=de

-修改文件“/-/etc/nsswitch.conf”

shadow: files ldap
passwd: files ldap
group:  files ldap

-修改“/etc/pam.d/sshd”并添加 ldap 条目

#%PAM-1.0
auth     required       pam_unix2.so
auth     sufficient     pam_ldap.so debug

account  required       pam_unix2.so
account  sufficient     pam_ldap.so debug

password required       pam_pwcheck.so
password sufficient     pam_ldap.so      use_authtok debug
password required       pam_unix2.so      use_first_pass use_authtok

session  required       pam_unix2.so
session  required       pam_limits.so
session  required       pam_env.so

就这样,现在我应该能够获得 ldap 用户了

getent passwd XXX

但是我没有得到任何结果,ldapsearch 可以工作,我得到了用户。ldap 服务器可以访问。我是不是忘记了什么或者犯了错误?整天都在研究这个问题,却找不到解决办法。它看起来并不那么复杂。

如果有帮助的话,以下是日志:

LDAP 服务器,消息:

2016-07-26T15:25:51.248330+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SRCH base="dc=XXX,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ldaptest))"
2016-07-26T15:25:51.249119+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
2016-07-26T15:25:51.249381+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (objectClass) not indexed
2016-07-26T15:25:51.249646+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (objectClass) not indexed
2016-07-26T15:25:51.249905+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (uid) not indexed
2016-07-26T15:25:51.250205+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

SSH 服务器,nscd

Tue Jul 26 15:25:51 2016 - 2551: handle_request: request received (Version = 2) from PID 2580
Tue Jul 26 15:25:51 2016 - 2551:    GETFDPW
Tue Jul 26 15:25:51 2016 - 2551: provide access to FD 8, for passwd
Tue Jul 26 15:25:51 2016 - 2551: handle_request: request received (Version = 2) from PID 2580
Tue Jul 26 15:25:51 2016 - 2551:    GETPWBYNAME (ldaptest)
Tue Jul 26 15:25:51 2016 - 2551: Haven't found "ldaptest" in password cache!
Tue Jul 26 15:25:51 2016 - 2551: add new entry "ldaptest" of type GETPWBYNAME for passwd to cache (first)
Tue Jul 26 15:26:11 2016 - 2551: pruning passwd cache; time 1469539571
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "0", timeout 1469539696
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "ldaptest", timeout 1469539571
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "51", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "nobody", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "root", timeout 1469539696
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "65534", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "postfix", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: pruning passwd cache; time 1469539586
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "0", timeout 1469539696
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "ldaptest", timeout 1469539571
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "51", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "nobody", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "root", timeout 1469539696
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "65534", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "postfix", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: remove GETPWBYNAME entry "ldaptest"
Tue Jul 26 15:26:26 2016 - 2551: freed 216 bytes in passwd cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETFDPW
Tue Jul 26 15:26:43 2016 - 2551: provide access to FD 8, for passwd
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETFDGR
Tue Jul 26 15:26:43 2016 - 2551: provide access to FD 10, for group
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETPWBYUID (4)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "4" in password cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "4" of type GETPWBYUID for passwd to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "lp" of type GETPWBYNAME for passwd to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETGRBYGID (7)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "7" in group cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "7" of type GETGRBYGID for group to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "lp" of type GETGRBYNAME for group to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETPWBYUID (9)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "9" in password cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "9" of type GETPWBYUID for passwd to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "news" of type GETPWBYNAME for passwd to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETGRBYGID (13)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "13" in group cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "13" of type GETGRBYGID for group to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "news" of type GETGRBYNAME for group to cache

SSH 服务器,消息

2016-07-26T15:29:35.444271+02:00 SSHServ sshd[2612]: Invalid user ldaptest from XXX.XXX.XXX.XXX
2016-07-26T15:29:35.448138+02:00 SSHServ sshd[2612]: input_userauth_request: invalid user ldaptest [preauth]
2016-07-26T15:29:35.453752+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:37.372348+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive/pam for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:40.240791+02:00 SSHServ sshd[2614]: pam_ldap: error trying to bind as user "cn=ldaptest,o=XXXX,dc=XXX,dc=de" (Invalid credentials)
2016-07-26T15:29:40.244404+02:00 SSHServ sshd[2612]: error: PAM: User not known to the underlying authentication module for illegal user ldaptest from XXX.XXX.XXX.XXX
2016-07-26T15:29:40.244980+02:00 SSHServ sshd[2612]: Failed keyboard-interactive/pam for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2
2016-07-26T15:29:40.248708+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:41.929544+02:00 SSHServ sshd[2612]: error: Received disconnect from XXX.XXX.XXX.XXX: 13: Unable to authenticate [preauth]

相关内容