如果使用,SASL/GSSAPI 需要使用代理授权对 LDAP 服务器进行 Kerberos 身份验证使用 nss-pam-ldapd 进行 LDAP 身份验证在 Debian Buster 操作系统上。我尝试在我的 Raspberry Pi 上配置它以实现单点登录,但无法使其工作。
我的 ldap 服务器配置为如何在 Debian 上使用 OpenLDAP 服务器设置 SASL 代理授权.我命名了代理用户代理用户因此它的专有名称是uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
。
根据使用 nss-pam-ldapd 进行 LDAP 身份验证在 Debian 系统上,除了 GSSAPI 插件之外,我还必须安装软件包libnss-ldapd
和。但我将使用:libpam-ldapd
libsasl2-modules-gssapi-mit
libpam-krb5
libpam-ldapd
rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils
安装时,会出现一个配置对话框,其中的设置存储在/etc/nslcd.conf
和中/etc/nsswitch.conf
。我必须再次配置
rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd
对话框中给出的设置是:
rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de
# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
现在getent passwd
我希望获得英戈来自 LDAP 服务器。它不存储在本地/etc/passwd
。但我只从获取本地条目/etc/passwd
。在 LDAP 服务器的日志中,我可以看到没有尝试绑定到代理用户. 我这里遗漏了什么?
为什么getent
无法从 LDAP 服务器获取凭证?
答案1
简短的回答
确保你/etc/krb5.keytab
与你的host/*
委托人有有效的联系,例如:
rpi ~$ sudo kadmin -p user/admin
kadmin: addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin: ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin: q
nscd
如果可用,请使用 禁用缓存守护进程sudo systemctl disable --now nscd.service
。不要将其与 混淆nslcd
。然后检查代理授权:
rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de
然后安装:
rpi ~$ sudo apt install libnss-ldapd kstart
只需接受安装对话框中的默认设置。我们用这些配置文件覆盖它们。将它们与您的设置一起使用:
nslcd.conf
~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# Logging options, default is info
#log syslog debug
# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de
# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de
# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
# Other options
nss_initgroups_ignoreusers ALLLOCAL
nsswitch.conf
~$ cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
重新启动服务并检查。确保英戈没有本地 unix 帐户/etc/passwd
。
rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo
使用 Kerberos 身份验证设置 PAM 登录:
rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login
# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$
安装 nscd 缓存守护进程(如果已经可用则启用它):
rpi ~$ sudo apt install nscd
就是这样。
更多细节
我花了好几天的时间才检查出设置中存在什么问题。为了进行故障排除,您可以在 LDAP 服务器上将日志记录增加到调试输出中,以便olcLogLevel: any
:
slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif
slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif
在客户端设备上,只需取消注释调试日志行/etc/nslcd.conf
。
重新启动服务并禁用缓存守护进程nscd
(不要混淆nslcd
),因为nscd
可能会混淆测试:
rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service
不要忘记恢复调试日志记录并启用神经胶质细胞完成后。执行后,getent passwd
您将在客户端日志中看到它甚至没有以 开始GSSAPI client step 1
,什么都没有。我意识到 nslcd.service 没有获取任何/var/run/nslcd/nslcd.tkt
用于身份验证的凭据。四处寻找后,我发现/etc/default/nslcd
必须启动/usr/bin/k5start
,但未安装且无处记录。因此,只需使用以下命令安装它:
rpi ~$ sudo apt install kstart
现在日志显示 GSSAPI 从步骤 1 开始,但随后中止。
最令人困惑的是安装时显示的安装对话框libnss-ldapd
。它要求输入与我的 GSSAPI 设置不相符的条目,特别是代理用户的专有名称 (sasl_authzid)。这不可用。相反,您必须使用正常的绑定。只需接受对话框设置中的默认设置,然后使用简短答案中的配置文件。
我用systemd-networkd和...一起systemd-已解决。使用 systemd 解析器时,我遇到了令人讨厌的 60 秒登录延迟,这是不可接受的。它journal -b
显示查询 ldap 服务器的组成员身份在 60 秒后超时:
Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...
Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.
经过几天的错误搜索,我发现该选项nss_initgroups_ignoreusers ALLLOCAL
可以/etc/nslcd.conf
修复此错误。此选项可防止通过非 LDAP 用户的 LDAP 查找组成员身份。这意味着本地注册用户(如系统帐户)将无法查找 LDAP 服务器。