我已经设法设置了 ldap 身份验证。但我无法让主目录在登录时自动挂载。
auto.master和auto.home存储在ldap中。
这是我的 sssd.conf:
[sssd]
config_file_version = 2
services = nss, sudo, pam, autofs
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_search_base = dc=domain,dc=net
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://ldapsrv.domain.net
ldap_chpass_uri = ldaps://ldapsrv.domain.net
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,dc=domain,dc=net
debug_level = 9
#autofs
autofs_provider = ldap
ldap_autofs_search_base = dc=domain,dc=net
ldap_autofs_map_object_class = nisMap
ldap_autofs_entry_object_class = nisObject
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry
[sudo]
debug_level = 9
[autofs]
debug_level = 9
我可以使用 ldap 凭据通过 sudo 登录,但无法挂载 ldap 服务器上由 nfs 共享的 homedir。
看来它从 ldap 读取了 auto.master,但在尝试了 ldap 和 ldaps 之后失败了。
lookup_nss_read_map: reading map ldap ldap:nisMapName=auto.home,domain.net
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:nisMapName=auto.home,domain.net".
parse_server_string: lookup(ldap): server "(default)", base dn "nisMapName=auto.home,domain.net"
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 4, sasl_mech: (null)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null)
do_init: parse(sun): init gathered global options: (null)
read_one_map: map read not needed, so not done
mounted indirect on /export/home with timeout 300, freq 75 seconds
st_ready: st_ready(): state = 0 path /export/home
st_expire: state 1 path /misc
expire_proc: exp_proc = 140100367800064 path /misc
expire_cleanup: got thid 140100367800064 path /misc stat 0
expire_cleanup: sigchld: exp 140100367800064 finished, switching from 2 to 1
st_ready: st_ready(): state = 2 path /misc
handle_packet: type = 3
handle_packet_missing_indirect: token 582, name testuser, request pid 15127
attempting to mount entry /export/home/testuser
lookup_mount: lookup(ldap): looking up testuser
do_bind: lookup(ldap): auth_required: 4, sasl_mech (null)
get_server_SASL_mechanisms: Can't contact LDAP server
do_bind: lookup(ldap): autofs_sasl_bind returned -1
do_bind: lookup(ldap): auth_required: 4, sasl_mech (null)
get_server_SASL_mechanisms: Can't contact LDAP server
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server default
lookup(ldap): lookup for testuser failed: connection failed
这是我的 ldap 条目:
dn: nisMapName=auto.home,dc=domain,dc=net
objectClass: top
objectClass: nisMap
nisMapName: auto.home
dn: cn=*,nisMapName=auto.home,dc=domain,dc=net
objectClass: nisObject
cn: *
nisMapEntry: -rw,sync ldapsrv.domain.net:/export/home/&
nisMapName: auto.home
dn: nisMapName=auto.master,dc=domain,dc=net
objectClass: top
objectClass: nisMap
nisMapName: auto.master
dn: cn=/export/home,nisMapName=auto.master,dc=domain,dc=net
objectClass: nisObject
cn: /export/home
nisMapName: auto.master
nisMapEntry: ldap:nisMapName=auto.home,dc=domain,dc=net
谢谢
答案1
根据类似lookup(ldap): couldn't connect to server default您的消息,nsswitch.conf不使用sssfor automount,而是使用本机 LDAP 连接器ldap。使用sssforautomount或配置自动挂载器以直接查找地图。