Open LDAP 将 LDAP 用户验证为本地管理员帐户 - Linux - Ubuntu 14

tag-icon tag-icon security ldap ubuntu-14.04 openldap
Open LDAP 将 LDAP 用户验证为本地管理员帐户 - Linux - Ubuntu 14

因此,我认为我的 LDAP 运行正常,但今天我去登录,并且它对我进行身份验证,但它显示我是本地管理员帐户,甚至 whoami 也这么说,并且我像本地用户帐户一样拥有完全的根访问权限。

对于要寻找什么有什么想法吗?

这是以 donut 身份登录的输出,他不是本地用户,但之前曾登录过。

sysadmin@BASICTEMPLATE:~$ whoami
sysadmin
sysadmin@BASICTEMPLATE:~$ pwd
/home/donut

以 donut 身份登录时 tail -f /var/log/auth 的输出

Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: Accepted publickey for donut from 192.168.1.210 port 50472 ssh2: RSA 9c:a7:b6:3c:a8:2d:96:21:e8:d2:47:cb:6f:8f:a0:91
Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: pam_unix(sshd:session): session opened for user donut by (uid=0)
Oct  7 21:01:15 BASICTEMPLATE systemd-logind[471]: New session 4 of user sysadmin.

我的客户端设置:

客户端和服务端都是Ubuntu Server 14.04

客户端设置:

sudo su

apt-get update
apt-get install -y libpam-ldap nscd ldap-utils python-pip python-ldap libsasl2-dev python-dev libldap2-dev libssl-dev libnss-ldapd

##INSTALL STEPS###

#NOT LDAPI://, LDAP://
ldap://192.168.1.255

dc=freesoftwareservers,dc=com

{group,pass,shadow} (These options may not all show, manually edit /etc/nsswitch.conf if so)

ldap://192.168.1.255

dc=freesoftwareservers,dc=com

3

YES

NO

cn=admin,dc=freesoftwareservers,dc=com

PASSWORD

sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || {

    cat >> /etc/pam.d/common-session <<EOF
session required    pam_mkhomedir.so skel=/etc/skel umask=0022
EOF
}

sh -c 'echo "tls_reqcert never\nnss_initgroups_ignoreusers ALLLOCAL\nbind_timelimit 3\ntimelimit 3" >> /etc/nslcd.conf'

编辑 :

sudo nano /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

启用 SSH RSA 密钥查找:

pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart

限制为组 ServerAdmins:

sudo sh -c 'echo "auth    required    pam_access.so" >> /etc/pam.d/common-auth'
sudo sh -c 'echo "- : ALL EXCEPT root (admin) (wheel) (ServerAdmins): ALL EXCEPT  LOCAL" >> /etc/security/access.conf'

授予组 ServerAdmins Sudo 访问权限:

 sudo visudo
 # Members of the LDAP group ServerAdmins may run sudo
 %ServerAdmins ALL=(root) ALL

 /etc/init.d/nscd restart

相关内容