使用带有代理授权的 GSSAPI 对 OpenLDAP 服务器进行 NSS 查询

使用带有代理授权的 GSSAPI 对 OpenLDAP 服务器进行 NSS 查询

如果使用,SASL/GSSAPI 需要使用代理授权对 LDAP 服务器进行 Kerberos 身份验证使用 nss-pam-ldapd 进行 LDAP 身份验证在 Debian Buster 操作系统上。我尝试在我的 Raspberry Pi 上配置它以实现单点登录,但无法使其工作。

我的 ldap 服务器配置为如何在 Debian 上使用 OpenLDAP 服务器设置 SASL 代理授权.我命名了代理用户代理用户因此它的专有名称是uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

根据使用 nss-pam-ldapd 进行 LDAP 身份验证在 Debian 系统上,除了 GSSAPI 插件之外,我还必须安装软件包libnss-ldapd和。但我将使用:libpam-ldapdlibsasl2-modules-gssapi-mitlibpam-krb5libpam-ldapd

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils

安装时,会出现一个配置对话框,其中的设置存储在/etc/nslcd.conf和中/etc/nsswitch.conf。我必须再次配置

rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd

对话框中给出的设置是:

rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de


~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

现在getent passwd我希望获得英戈来自 LDAP 服务器。它不存储在本地/etc/passwd。但我只从获取本地条目/etc/passwd。在 LDAP 服务器的日志中,我可以看到没有尝试绑定到代理用户. 我这里遗漏了什么?
为什么getent无法从 LDAP 服务器获取凭证?

答案1

简短的回答

确保你/etc/krb5.keytab与你的host/*委托人有有效的联系,例如:

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin:  ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin:  q

nscd如果可用,请使用 禁用缓存守护进程sudo systemctl disable --now nscd.service。不要将其与 混淆nslcd。然后检查代理授权

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de

然后安装:

rpi ~$ sudo apt install libnss-ldapd kstart

只需接受安装对话框中的默认设置。我们用这些配置文件覆盖它们。将它们与您的设置一起使用:
nslcd.conf

~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# Logging options, default is info
#log syslog debug

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt

# Other options
nss_initgroups_ignoreusers ALLLOCAL

nsswitch.conf

~$ cat /etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

重新启动服务并检查。确保英戈没有本地 unix 帐户/etc/passwd

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo

使用 Kerberos 身份验证设置 PAM 登录:

rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login

# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$

安装 nscd 缓存守护进程(如果已经可用则启用它):

rpi ~$ sudo apt install nscd

就是这样。

更多细节

我花了好几天的时间才检查出设置中存在什么问题。为了进行故障排除,您可以在 LDAP 服务器上将日志记录增加到调试输出中,以便olcLogLevel: any

slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif

slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif

在客户端设备上,只需取消注释调试日志行/etc/nslcd.conf

重新启动服务并禁用缓存守护进程nscd(不要混淆nslcd),因为nscd可能会混淆测试:

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service

不要忘记恢复调试日志记录并启用神经胶质细胞完成后。执行后,getent passwd您将在客户端日志中看到它甚至没有以 开始GSSAPI client step 1,什么都没有。我意识到 nslcd.service 没有获取任何/var/run/nslcd/nslcd.tkt用于身份验证的凭据。四处寻找后,我发现/etc/default/nslcd必须启动/usr/bin/k5start,但未安装且无处记录。因此,只需使用以下命令安装它:

rpi ~$ sudo apt install kstart

现在日志显示 GSSAPI 从步骤 1 开始,但随后中止。

最令人困惑的是安装时显示的安装对话框libnss-ldapd。它要求输入与我的 GSSAPI 设置不相符的条目,特别是代理用户的专有名称 (sasl_authzid)。这不可用。相反,您必须使用正常的绑定。只需接受对话框设置中的默认设置,然后使用简短答案中的配置文件。

我用systemd-networkd和...一起systemd-已解决。使用 systemd 解析器时,我遇到了令人讨厌的 60 秒登录延迟,这是不可接受的。它journal -b显示查询 ldap 服务器的组成员身份在 60 秒后超时:

Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...

Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument

Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.

经过几天的错误搜索,我发现该选项nss_initgroups_ignoreusers ALLLOCAL可以/etc/nslcd.conf修复此错误。此选项可防止通过非 LDAP 用户的 LDAP 查找组成员身份。这意味着本地注册用户(如系统帐户)将无法查找 LDAP 服务器。

相关内容