我做了什么:
已安装
libpam-ldapd设置
/etc/ldap/ldap.conf设置
/etc/ssh/ldap-keys.sh为root:root 0755,确认它有效(/etc/ssh/ldap_keys.sh amadan从 LDAP 返回我的公钥)。设立
/etc/nsswitch.conf:passwd,sudo现在shadow说compat ldap,和新线sudoers有ldap。设置
/etc/ssh/sshd_config:AuthorizedKeysCommand指向上述文件,AuthorizedKeysCommandUser指向新创建的专用用户设立
/usr/share/pam-configs/mkhomedir;运行pam-auth-update。
目前的情况是,当我尝试登录时,AuthorizedKeysCommand(/etc/ssh/ldap-keys.sh)永远不会运行。我也不知道我的其他配置是否正确,但由于总是sshd报告“无效用户”,所以我无法确定:
Oct 17 17:22:59 xxx sshd[86244]: Invalid user amadan from yyy
Oct 17 17:22:59 xxx sshd[86244]: input_userauth_request: invalid user amadan [preauth]
Oct 17 17:23:01 xxx sshd[86244]: Connection closed by yyy [preauth]
我知道我在做某物错了...但是什么?
编辑:相关的 PAM 设置:
# auth
auth [success=2 default=ignore] pam_unix.so nullok_secure debug
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
# account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
account requisite pam_deny.so
account required pam_permit.so
编辑:strace摘录如下sshd:
open("/lib/x86_64-linux-gnu/security/pam_ldap.so", O_RDONLY|O_CLOEXEC) = 8
read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\20\0\0\0\0\0\0"..., 832) = 832
fstat(8, {st_mode=S_IFREG|0644, st_size=26544, ...}) = 0
mmap(NULL, 2121744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f58df52b000
mprotect(0x7f58df531000, 2093056, PROT_NONE) = 0
mmap(0x7f58df730000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0x5000) = 0x7f58df730000
close(8) = 0
mprotect(0x7f58df730000, 4096, PROT_READ) = 0
open("/lib/x86_64-linux-gnu/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 8
Strace 摘录自(在另一台服务器上)的工作sshd:
open("/lib/x86_64-linux-gnu/security/pam_ldap.so", O_RDONLY|O_CLOEXEC) = 8
read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\37\0\0\0\0\0\0"..., 832) = 832
fstat(8, {st_mode=S_IFREG|0644, st_size=47792, ...}) = 0
mmap(NULL, 2142888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f8ef8a3c000
mprotect(0x7f8ef8a46000, 2097152, PROT_NONE) = 0
mmap(0x7f8ef8c46000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0xa000) = 0x
close(8) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 8
fstat(8, {st_mode=S_IFREG|0644, st_size=152262, ...}) = 0
mmap(NULL, 152262, PROT_READ, MAP_PRIVATE, 8, 0) = 0x7f8efcee1000
close(8) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2", O_RDONLY|O_CLOEXEC) = 8
在工作中sshd,pam_ldap.so调用libldap_r-2.4.so.2;在这个中,它没有;它退出而不做太多事情,并立即进入下一个 PAM 模块。我不知道为什么。
答案1
看起来名称服务缓存守护进程维护的缓存已经过时/未更新以反映新的 LDAP 设置。
sudo /etc/init.d/nscd restart
应该重新启动服务并更新缓存。