我有一台服务器helm-openldap以及一个 debian 客户端。我无法登录拥有 SHA-512 加密密码的用户。如果我以明文或 MD5 格式存储密码,它就可以正常工作。
$ id tuser
uid=5000(tuser) gid=5000(tuser) groups=5000(tuser),5001(wheel)
/var/log/auth.log
Jul 1 14:04:33 debian su: pam_unix(su:auth): authentication failure; logname=debian uid=1000 euid=0 tty
=pts/0 ruser=debian rhost= user=tuser
Jul 1 14:04:33 debian su: pam_sss(su:auth): authentication failure; logname=debian uid=1000 euid=0 tty=
pts/0 ruser=debian rhost= user=tuser
Jul 1 14:04:33 debian su: pam_sss(su:auth): received for user tuser: 7 (Authentication failure)
Jul 1 14:04:36 debian su: FAILED SU (to tuser) debian on pts/0
sssd.conf:
[sssd]
domains = LDAP_DOMAIN
services = nss, pam
[domain/LDAP_DOMAIN]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.domain.com
cache_credentials = True
ldap_default_bind_dn = cn=admin,dc=domain,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = admin_password
$ ldapsearch -x -H ldaps://ldap.domain.com -b dc=domain,dc=com -D cn=admin,dc=domain,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# test.user, domain.com
dn: cn=test.user,dc=domain,dc=com
cn: test.user
gidNumber: 5000
givenName: test
homeDirectory: /home/tuser
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: tuser
uid: tuser
uidNumber: 5000
loginShell: /usr/bin/bash
userPassword:: e01ENX1rQUZRbUR6U1Q3RFdsajk5S09GL2NnPT0=
# search result
search: 2
result: 0 Success
# numResponses: 1
# numEntries: 1
提前感谢你的帮助!