这个 pam_ldap 配置有什么问题?

这个 pam_ldap 配置有什么问题?

我在 Ubuntu 16.04 机器上为 PAM 设置了 LDAP 身份验证。即使我知道密码正确,我也无法通过 SSH 登录。我的目标是拥有一个本地用户列表,并且任何在本地 LDAP 服务器上拥有帐户的人都可以登录(这些用户(目前)对 Ubuntu 机器来说是未知的)。我希望在首次登录时创建用户,包括他们的主文件夹(但这不是本文的重点)。

主 LDAP 配置文件:

# awk '! /^$/ && ! /^#/' /etc/ldap.conf 
base OU=MyOrg,DC=myit,DC=local
uri ldaps://ad.myit.local:636/
ldap_version 3
binddn [email protected]
bindpw XXXXX
pam_lookup_policy yes
pam_password md5
nss_base_passwd ou=MyOrg,dc=local?sub
nss_base_shadow ou=MyOrg,dc=myit,dc=local?sub
nss_base_group  ou=MyOrg,dc=myit,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_map_attribute userPassword authPassword
ssl on
debug 10
logdir /var/log/ldap

我不知道 LDAP 服务器的所有设置(我没有管理它)但我知道登录属性sAMAccountName、服务器 URI 和绑定 DN/密码是正确的(请参阅ldapsearch下面的示例)。

以下是相关的身份验证配置文件:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup: nis

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]  pam_unix.so nullok_secure
auth    [success=1 default=ignore]  pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional    pam_ecryptfs.so unwrap
# end of pam-auth-update config

因此基本上 PAM 会首先尝试 unix,如果用户不存在,它会在拒绝之前尝试 LDAP。

以下是第一个绑定凭据有效的证明:

# ldapsearch -H ldaps://ad.myit.local:636 -b 'ou=MyOrg,dc=myit,dc=local' -D [email protected] -W | grep -P 'distinguishedName.*DUFFEZ'
Enter LDAP Password: (XXXX)
distinguishedName: CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local

然后使用在第一次绑定时查找提供的 DN 进行绑定:

# ldapsearch -H ldaps://ad.myit.local:636 -b 'ou=MyOrg,dc=myit,dc=local' -D "CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local" -W | grep -P 'distinguishedName.*DUFFEZ'
Enter LDAP Password: (my password)
distinguishedName: CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local

这样就成功了。

现在,如果我通过 SSH 执行操作,它会失败并auth.log显示:

Jun 26 14:28:21 xxx sshd[6925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.177
Jun 26 14:28:21 xxx sshd[6925]: pam_ldap: error trying to bind as user "CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local" (Invalid credentials)
Jun 26 14:28:23 xxx sshd[6925]: Failed password for invalid user bdu from 192.168.5.177 port 48780 ssh2

我分析了日志(参见debug 10ldap.conf,错误如下:

LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

这据称是一个有效的用户,但凭证无效。

我看不出哪里出了问题?绑定 DNauth.log与我在命令中使用的完全相同ldapsearch,密码也相同,但还是失败了。

相关内容