我正在关注这个教程https://mcwhirter.com.au/craige/blog/2005/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client/但在第一步之后:
apt-get install libpam-ldap libnss-ldap
它已经失败了:
您应该能够运行诸如“getent passwd”之类的命令
但 LDAP 用户没有出现。我不知道该怎么办。我花了一整天的时间试图了解问题所在,并仔细检查了所有内容,但我找不到答案。我该如何排除配置故障?
我按照其他教程:
- 检查您的 /var/log/messages 文件:LDAP 服务器上为空,PC 上不存在
测试基本连接:确定:
telnet 123.123.123.123 389 # on PC Trying 123.123.123.123... Connected to 123.123.123.123. Escape character is '^]'.
使用 ldapsearch 进行测试
我进行了不同的随机检查,但不确定其相关性。假设123.123.123.123
LDAP 服务器的 IP 是sub.domain.com
其完整域名:
ldapsearch -x -b 'dc=sub,dc=domain,dc=com' '(objectclass=*)' ### ON SERVER
ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed
在 PC 上:
ldapsearch -x -b 'dc=sub,dc=domain,dc=com' '(objectclass=*)' ### ON CLIENT
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
@user5870571 的回答解释说我需要创建一个具有列出 LDAP 用户的权限的 LDAP 用户。但是我不明白这与我所遵循的教程有何关联,也不知道如何纠正这个问题。
在服务器端:
slaptest
返回
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
配置文件测试成功
根据您的要求,我非常乐意分享特定命令或文件内容的输出。
cat /etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=sub,dc=domain,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://123.123.123.123
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=sub,dc=domain,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
答案1
您提供的错误告诉您,您正在尝试枚举存储在 LDAP 服务器中的用户,而无需向 LDAP 服务器进行身份验证。
ldap_bind: Inappropriate authentification (48)
additional info: anonymous bind disallowed
因此,您需要有一个帐户,LDAP 客户端可以使用它来向 LDAP 服务器进行身份验证,然后枚举 LDAP 用户。
答案2
我终于解决了我的问题。我想这是一个相当不寻常的问题:LDAP 服务器托管在 NAS(QNAP)上;NAS 的固件更新不知何故搞砸了 LDAP 数据库,导致一切看起来都很正常,只是客户端无法绑定用户及其 UID。
由于 LDAP 数据库不知何故损坏,降级固件没有帮助。解决我问题的方法是加载 LDAP 数据库的备份。
以下是我设置的步骤
- 我的 QNAP NAS 作为 LDAP 服务器
- 远程 PC(Ubuntu 16.04)作为客户端,
如果它可以帮助某人。免责声明:我对 LDAP 服务器几乎一无所知;natxo asenjo 推荐以下教程:http://www.zytrax.com/books/ldap/。
在 QNAP 服务器上: 这QNAP 教程非常清楚,而且非常直接。不要忘记在“域安全”菜单中启用 NAS 作为其自己的 LDAP 服务器的客户端。完整域名与实际浏览页面无关,如果您愿意,可以使用“mypage.johndoe”,当然,只要您与此名称保持一致即可。
在 PC 上(客户端)
sudo apt-get install ldap-auth-client
然后配置 ldap 地址(例如ldap://123.123.123.123/
)、搜索库名称dc=mypage,dc=johndoe
、LDAP 版本(3)、使本地根数据库成为管理员(我选择否)、LDAP 数据库是否需要登录(我选择否)。
sudo apt-get install libnss-ldapd
然后按Enter三次并选择aliases
。然后
sudo apt-get install libnss-ldapd
编辑/etc/nsswitch.conf
并修改以下字段以获得:
passwd: files ldap
group: files ldap
shadow: files ldap
(保留gshadow
为文件)。
getent passwd
现在应该在客户端上显示 LDAP 用户。
如果您输入了错误的参数在配置过程中,你可以使用以下命令重新配置sudo dpkg-reconfigure ldap-auth-config
或卸载软件包:
sudo apt-get remove --purge nameOfPackage
nameOfPackage
例如,其中ldap-auth-client
。该--purge
选项删除配置文件。