我正在尝试将 LDAP 登录限制到“管理员”组。
这是我的 /etc/sssd/sssd.conf 文件:
[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM
min_id = 100
ldap_uri = ldaps://example.com:636/
ldap_default_authtok = Pa$$word
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cert = /etc/openldap/cacerts/certificate.pem
access_provider = ldap
ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
我尝试过这样做id username
并且结果如下:
id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)
尝试通过此方式更改用户时,输入密码后su user
会出错su: Permission denied
。从 sssd.conf 中删除组限制条目后,它会按预期工作并允许用户登录。
你知道我哪里搞砸了吗?
编辑:现在我将设置它/etc/security 和 PAM并且成功了。不过,我仍然对使用 sssd 来实现这个功能感到好奇。
答案1
根据https://www.mankier.com/5/sssd-ldap:
ldap_access_filter (string)
If using access_provider = ldap and ldap_access_order = filter (default), this
option is mandatory. It specifies an LDAP search filter criteria that must be met
for the user to be granted access on this host.
If access_provider = ldap, ldap_access_order = filter and this option is not set,
it will result in all users being denied access. Use access_provider = permit to
change this default behavior.
因此显然,添加 access_provider = permit 应该可以解决您的问题。
答案2
您的 LDAP 配置中是否存在覆盖 memberOf ?据我了解,此覆盖需要明确配置才能使用。
以下命令的输出应包含诸如“memberof.la”之类的内容。如果没有,那么您可能首先应该配置 LDAP 服务器。
slapcat -n 0 | grep olcModuleLoad
这可能会有帮助: https://tylersguides.com/guides/openldap-memberof-overlay/#configuration_tag https://stackoverflow.com/questions/60994495/memberof-and-refint-does-not-work-in-openldap
答案3
这更容易(有些人可能会说简单)地完成简单访问控制提供者:
[domain/default]
...
access_provider = simple
simple_allow_groups = admin
ldap_group_search_base = ou=group,o=organization,dc=example,dc=com