我遵循了这个 openldap 指南
https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
在我尝试在客户端上识别用户之前,一切正常(遵循本指南:https://kifarunix.com/configure-sssd-for-ldap-authentication-on-rocky-linux-8/)
我收到一条关于“没有此用户”的消息
openldap 教程列出了 users.ldif 的 objectClass
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
我注意到其他网站使用
objectClass: account
(看:https://www.thegeekstuff.com/2015/02/openldap-add-users-groups/&https://forums.centos.org/viewtopic.php?t=54808)
我已经尝试过这两种方法(甚至尝试过同时包括这两种方法)
我可以从客户端到服务器执行 ldapsearch 并查询任何 objectClass 的
我不确定我错过了什么。
我检查了我的 nsswitch.conf,确保 sss 在 passwd 文件之前
答案1
我做了基本测试并禁用了 TLS。
我的问题可能出在 SSSD.conf 中,没有正确的 objectClass 以及匹配的 DN、CN 和 OU
服务器
#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man --nobest
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
cat <<EOF > chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=srv,dc=world" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=srv,dc=world
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=srv,dc=world
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Srv
dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=Users,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: ou=Groups,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Groups
EOF
ldapadd -x -w 1234 -D cn=Manager,dc=srv,dc=world -f basedomain.ldif
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload
cat <<EOF > adam.ldif
dn: uid=adam,ou=Users,dc=srv,dc=world
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: 1234
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w 1234 -D "cn=Manager,dc=srv,dc=world" -f adam.ldif
ldappasswd -s 1234 -w 1234 -D "cn=Manager,dc=srv,dc=world" -x "uid=adam,ou=Users,dc=srv,dc=world"
SSSD.conf [客户端]
cat <<EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=srv,dc=world
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster
ldap_default_bind_dn = cn=Manager,dc=srv,dc=world
#ldap_default_authtok_type = password
ldap_default_authtok = 1234
#ldap_user_search_base = CN=Users,DC=srv,DC=world
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/pki/tls/cacert.crt
#ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
#ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=ldapmaster,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOF