我是来自西班牙的 Arigita 先生。我遇到了 nslcd 问题,需要帮助。在写这篇文章之前,我花了很多天在网上寻找解决方案,但没有成功:
我有一个多主 Openldap 设置,带有 ppolicy 覆盖。用户被强制更改过期的密码。我设法让所有客户端在 nss-pam-ldap 常规配置 (/etc/ldap.conf) 中显示并提示输入新密码。但是,我的过滤器有限,我发现 nss-pam-ldapd 软件包可以帮助我定义更好的组、密码和身份验证过滤器(在 /etc/nslcd.conf 中)。所以我放弃了,开始使用 nslcd 守护进程和工具。
但是现在我没有收到任何密码过期警告,并且当通过 ssh 使用过期密码登录时,客户端机器上不会显示任何密码更改提示。为了测试,我删除了所有过滤器并留下了一个简单的 nslcd.conf 文件:
nss-pam-ldapd v.0.9.9
/etc/nslcd.conf:
uid nslcd
gid nslcd
uri ldap://temis/
base dc=domain
ldap_version 3
binddn cn=leoldap,dc=domain
bindpw ****
ssl start_tls
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
情况如下:
2 x multimaster slapd servers
1 x HAproxy load balancer. Tcp Ldap traffic forwarded to the multimasters.
Many Ubuntu 16, 18 and Debian 8,9 clients. (At the moment only testing 2 clients with Ubuntu 16/18)
以下是一些配置和转储:
对象类=olcPpolicyConfig:
dn: olcOverlay={4}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {4}ppolicy
olcPPolicyDefault: cn=PWUsuarios,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
objectClass=pwdPolicy(为了进行测试,pwdMaxAge 设置为 2 分钟)
dn: cn=PWUsuarios,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain
cn: PWUsuarios
objectClass: pwdPolicy
objectClass: device
objectClass: top
objectClass: pwdPolicyChecker
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckModule: pqchecker.so
pwdCheckQuality: 2
pwdFailureCountInterval: 0
pwdInHistory: 3
pwdLockoutDuration: 3600
pwdMaxFailure: 3
pwdMinLength: 10
pwdMustChange: TRUE
pwdMaxAge: 120
pwdExpireWarning: 120
pwdGraceAuthNLimit: 1
pwdLockout: TRUE
dn: cn=PWApps,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain
cn: PWApps
objectClass: pwdPolicy
objectClass: device
objectClass: top
objectClass: pwdPolicyChecker
pwdAllowUserChange: FALSE
pwdAttribute: userPassword
pwdCheckModule: pqchecker.so
pwdCheckQuality: 2
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdLockoutDuration: 0
pwdMaxFailure: 3
pwdMinLength: 8
nslcd-d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.9
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,allow)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/ca-certificates.crt")
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 131
nslcd: DEBUG: CFG: uri ldap://temis/
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn cn=leoldap,dc=domain
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base dc=domain
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword ""
nslcd: DEBUG: CFG: map passwd userPassword ""
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword ""
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl start_tls
nslcd: DEBUG: CFG: tls_reqcert allow
nslcd: DEBUG: CFG: tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_initgroups_ignoreusers kernoops,bin,whoopsie,systemd-network,nslcd,cups-pk-helper,hplip,pulse,rou,daemon,colord,avahi,messagebus,xrdp,backup,gnome-initial-setup,mysql,irc,man,openldap,new...
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9.@$()]([a-z0-9.@$() ~-][a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.9 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",131) done
nslcd: DEBUG: setgid(131) done
nslcd: DEBUG: setuid(127) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=101098 uid=0 gid=0
nslcd: [8b4567] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))")
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/")
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain
nslcd: [8b4567] <passwd="rarigita"> (re)loading /etc/nsswitch.conf
nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=101098 uid=0 gid=0
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))")
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/")
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain
nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=101098 uid=0 gid=0
nslcd: [3c9869] <shadow="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=shadowAccount)(uid=rarigita))")
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/")
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain
nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] DEBUG: connection from pid=101098 uid=0 gid=0
nslcd: [334873] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))")
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/")
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain
nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b0dc51] DEBUG: connection from pid=101098 uid=0 gid=0
nslcd: [b0dc51] <authc="rarigita"> DEBUG: nslcd_pam_authc("rarigita","sshd","***")
nslcd: [b0dc51] <authc="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))")
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","**") (uri="ldap://temis/")
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain
nslcd: [b0dc51] <authc="rarigita"> DEBUG: myldap_search(base="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain", filter="(objectClass=)")
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_sasl_bind("cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain","***") (uri="ldap://temis/") (ppolicy=yes)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [b0dc51] <authc="rarigita"> DEBUG: failed to bind to LDAP server ldap://temis/: Invalid credentials
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="rarigita"> cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain: Invalid credentials
nslcd: [b0dc51] <authc="rarigita"> cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain: Password expired
nslcd: [495cff] DEBUG: connection from pid=101160 uid=0 gid=0
nslcd: [495cff] <group/member="root"> DEBUG: ignored group member
尾部-f / var / log / syslog |删除 slapd
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 fd=21 ACCEPT from IP=10.6.22.124:44996 (IP=10.6.22.121:389)
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 STARTTLS
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 RESULT oid= err=0 text=
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 fd=21 TLS established tls_ssf=256 ssf=256
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 BIND dn="cn=leoldap,dc=domain" method=128
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 RESULT tag=97 err=0 text=
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))"
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 fd=22 ACCEPT from IP=10.6.22.124:45032 (IP=10.6.22.121:389)
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 STARTTLS
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 RESULT oid= err=0 text=
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 fd=22 TLS established tls_ssf=256 ssf=256
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 BIND dn="cn=leoldap,dc=domain" method=128
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 RESULT tag=97 err=0 text=
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))"
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 fd=23 ACCEPT from IP=10.6.22.124:45036 (IP=10.6.22.121:389)
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 STARTTLS
Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 RESULT oid= err=0 text=
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 fd=23 TLS established tls_ssf=256 ssf=256
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 BIND dn="cn=leoldap,dc=domain" method=128
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 RESULT tag=97 err=0 text=
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=rarigita))"
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SRCH attr=shadowFlag shadowMax shadowMin shadowLastChange uid shadowExpire shadowInactive shadowWarning
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 fd=24 ACCEPT from IP=10.6.22.124:45038 (IP=10.6.22.121:389)
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 STARTTLS
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 RESULT oid= err=0 text=
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 fd=24 TLS established tls_ssf=256 ssf=256
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 BIND dn="cn=leoldap,dc=domain" method=128
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 RESULT tag=97 err=0 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))"
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))"
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SRCH attr=uid uidNumber
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 ACCEPT from IP=10.6.22.124:45050 (IP=10.6.22.121:389)
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 STARTTLS
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 RESULT oid= err=0 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 TLS established tls_ssf=256 ssf=256
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" method=128
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:43 CarlosIs99 slapd[1757]: ppolicy_bind: Entry cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain has an expired password: 0 grace logins
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 RESULT tag=97 err=49 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=2 UNBIND
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 closed
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=4 ABANDON msg=4
/etc/pam.d/common-* 是 pam-auth-update 设置的默认值。
/etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
/etc/pam.d/通用帐户:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
/etc/pam.d/通用密码:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
组是 posixGroups,帐户是 posixAccount、shadowAccount 和 inetOrgPerson。但我在 ssh 登录提示符下没有收到任何密码过期通知。这是正常的吗?我错过了什么?我已经阅读了很多关于此的帖子,我相信它一定是在软件包的默认全新安装下工作的……
密码过期,密码更改提示正在 nss-pam-ldap 配置中工作。您能提供建议或帮助吗?我将不胜感激。我测试 nslcd 5 天,但未能成功在 ssh 登录提示符下显示密码过期消息。此外,这是否支持 debian 7 和 Ubuntu 14?我们的网络中有一些较旧的设置。
先感谢您。