我正在尝试配置 PAM 以与我的 LDAP 服务器配合使用进行身份验证。为此,我尝试使用 libpam-ldap,出于两个原因,我决定使用 libpam-ldap 而不是 libpam-ldapd。首先,libpam-ldapd 似乎不支持基于组的身份验证,这意味着我无法控制哪些用户可以使用 LDAP 组访问哪些服务(至少对于使用 PAM 的服务而言);其次,当我尝试安装 libpam-ldapd 时,整个服务器变得极其迟钝,处理命令需要长达 30 秒的时间。
当进行身份验证尝试时,libpam_ldap 会正确尝试在端口 636 上联系所需的 LDAP 服务器,但是不会进行绑定尝试。重新配置 libpam-ldap 以通过端口 389 上的非 TLS 连接连接到 LDAP 服务器会导致绑定尝试,而我的 LDAP 服务器的非 TLS 连接身份验证策略会正确拒绝该尝试。
我正在运行 Debian 10.4,我的 pam_ldap.conf 文件(作为故障排除过程的一部分,我已将其精简为最小配置)如下
base ou=people,dc=example,dc=com
uri ldaps://example.com/
ldap_version 3
binddn uid=0,ou=servers,dc=example,dc=com
bindpw mypassword
pam_login_attribute displayName
pam_password clear
ssl on
tls_checkpeer no
tls_cacertdir /etc/ssl/certs
logdir /var/log/pamldap
凡是提到示例的地方,实际配置都有正确的值。密码设置为 clear,因为密码哈希由 ppolicy 在服务器端处理。指定“ssl on”以及“tls_checkpeer”和“tls_cacertdir”的选项都包含在我的故障排除过程中,并且它们的任何组合都无法成功连接到 LDAP 服务器。
配置中的 logdir 标志不起作用,因此 libpam-ldap 不生成日志,这严重复杂化了故障排除。到目前为止,故障排除包括尝试验证 FTP 用户,并监控 LDAP 服务器上的日志以及传播到 FTP 客户端的信息。在 libpam-ldap 配置为使用 TLS 的情况下尝试登录会导致 FTP 客户端超时,并且 LDAP 服务器上的以下日志
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: slap_listener_activate(8):
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 busy
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: >>> slap_listener(ldaps:///)
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: listen=8, new connection on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: daemon: added 12r (active) listener=(nil)
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: conn=1000 fd=12 ACCEPT from IP=X.X.X.X:1025 (IP=0.0.0.0:636)
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
尝试通过未加密的连接登录会导致 FTP 客户端收到 530 登录不正确响应和“严重错误:无法连接到服务器”错误消息,并且 LDAP 服务器会记录以下日志
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: slap_listener_activate(8):
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 busy
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: >>> slap_listener(ldap:///)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: listen=8, new connection on 14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: 14r
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: added 14r (active) listener=(nil)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 ACCEPT from IP=X.X.X.X:47982 (IP=0.0.0.0:389)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: op tag 0x60, time 1591298840
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 do_bind
Jun 4 15:27:20 MyServer slapd[5866]: >>> dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: <<< dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>, <uid=0,ou=servers,dc=example,dc=com>
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 BIND dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun 4 15:27:20 MyServer slapd[5866]: do_bind: version=3 dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_result: conn=1002 op=0 p=3
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_result: err=13 matched="" text="confidentiality required"
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_response: msgid=1 tag=97 err=13
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 RESULT tag=97 err=13 text=confidentiality required
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: 14r
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun 4 15:27:20 MyServer slapd[5866]: op tag 0x42, time 1591298840
Jun 4 15:27:20 MyServer slapd[5866]: ber_get_next on fd 14 failed errno=0 (Success)
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): input error=-2 id=1002, closing.
Jun 4 15:27:20 MyServer slapd[5866]: connection_closing: readying conn=1002 sd=14 for close
Jun 4 15:27:20 MyServer slapd[5866]: connection_close: deferring conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 do_unbind
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 UNBIND
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_resched: attempting closing conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: connection_close: conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: removing 14
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 closed
这似乎是我的 LDAP 服务器的正确策略响应。
为了澄清我的问题:libpam_ldap 无法通过 TLS 与我的 LDAP 服务器通信,有人能告诉我为什么会出现这种情况以及我需要做什么来解决这个问题吗?如果您认为这不是我遇到的问题,您认为问题是什么,您认为我需要做什么来解决这个问题?
答案1
我终于解决了我的问题。我的问题是一个奇怪的 TLS 问题,如果您尝试通过 NAT 建立从一台机器到其自身的 TLS 连接(LDAP 服务器和客户端在同一台机器上,但为了使 TLS 正常工作,客户端需要通过域名连接,因此必须遍历 NAT),连接就会完全不起作用。这并非 LDAP 独有,这是一种普遍的奇怪 TLS 行为。解决此问题的方法是禁用 LDAP 服务器上的强制 TLS(删除 olcSecurity 属性),并在 slapd 默认文件中重新启用 ldap:///(与 ldaps:/// 相反),但将其限制为环回接口(ldap://127.0.0.1/)。这样,所有流量仍被迫使用 TLS(由 olcTLSCipherSuite 属性强制执行密码限制),但本地服务仍然能够访问 LDAP 服务器。