ldapsearch 找到我的帐户/用户,sssd 没有找到

tag-icon tag-icon ldap kerberos sssd ldapsearch ubuntu-22.04
ldapsearch 找到我的帐户/用户,sssd 没有找到

我正在尝试设置一个新的服务器(Ubuntu 22.04 LTS)并使用组织帐户对用户进行身份验证。

这是提供的公共文档: https://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth

当执行 ldapsearch 时(如在故障排除部分中指定的那样),我可以找到格式为 abc12345 的我的用户以及所有可用的数据。

ldapsearch \
-A 
-H 'ldaps://adldap.hs-regensburg.de' \
-b 'DC=hs-regensburg,DC=de' \
-D '[email protected]' \
-W -z 0 -LLL -E pr=1000/noprompt sAMAccountName=abc12345

输出-->附录1

但是执行时getent passwd abc12345我没有得到任何输出,也没有附录 2-3 中的日志文件。我想说 ldap 根本找不到给定的用户名abc12345

这是我的sssd.conf

[sssd]
config_file_version = 2
domains = hs-regensburg.de

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = [email protected]
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false
  1. 我必须对 sssd.conf 做哪些更改以便 sssd 也能找到我的用户,就像 ldapsearch 一样?
  2. sAMAccountName/samAccountName 到底是什么?
  3. 如果我像这样设置我的身份验证会有什么好处:https://ubuntu.com/server/docs/service-sssd-ldap-krb
  4. 所提供的文档是否足以建立这样的系统?

我很感激任何帮助。如果您需要我提供更多信息,我很乐意为您提供所需的一切。

附录1

Enter LDAP Password:
dn: CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
objectClass:
cn:
sn:
c:
l:
st:
title:
postalCode:
givenName:
distinguishedName:
instanceType:
whenCreated:
whenChanged:
displayName:
uSNCreated:
memberOf:
uSNChanged:
department:
proxyAddresses:
streetAddress:
name:
objectGUID:
userAccountControl:
badPwdCount:
codePage:
countryCode:
homeDirectory:
homeDrive:
badPasswordTime:
lastLogoff:
lastLogon:
pwdLastSet:
primaryGroupID:
profilePath:
objectSid:
accountExpires:
logonCount:
sAMAccountName:
sAMAccountType:
showInAddressBook:
legacyExchangeDN:
userPrincipalName:
objectCategory:
dSCorePropagationData:
lastLogonTimestamp:
uid:
mail:
uidNumber:
gidNumber:
unixHomeDirectory:
loginShell:
mDBUseDefaults:
msExchWhenMailboxCreated:
extensionAttribute9:
msExchUMDtmfMap:
msExchMailboxSecurityDescriptor:
hsrInternalMail:
msExchArchiveWarnQuota:
msExchHomeServerName:
msExchTextMessagingState:
msExchPoliciesExcluded:
msExchDumpsterQuota:
msExchRBACPolicyLink:
msExchUserAccountControl:
msExchMobileMailboxFlags:
msExchArchiveQuota:
msExchDumpsterWarningQuota:
mailNickname:
msExchUserCulture:
msExchVersion:
msExchELCMailboxFlags:
homeMDB:
msExchMailboxGuid:
msExchRecipientTypeDetails:
msExchRecipientDisplayType:
msExchCalendarLoggingQuota:

# refldaps://hs-regensburg.de/CN=Configuration,DC=hs-regensburg,DC=de

# pagedresults: cookie=

附录 2 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep --color 'abc12345\|$'

(2022-08-24  2:02:44): [nss] [accept_fd_handler] (0x0400): [CID#6] Client [cmd getent][uid 1001][0x55e3a007a380][21] connected!
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Received client version [1].
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Offered version [1].
(2022-08-24  2:02:44): [nss] [nss_getby_name] (0x0400): [CID#6] Input name: abc12345
(2022-08-24  2:02:44): [nss] [cache_req_send] (0x0400): [CID#6] CR #7: REQ_TRACE: New request [CID #6] 'User by name'
(2022-08-24  2:02:44): [nss] [cache_req_process_input] (0x0400): [CID#6] CR #7: Parsing input name [abc12345]
(2022-08-24  2:02:44): [nss] [sss_parse_name_for_domains] (0x0200): [CID#6] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:02:44): [nss] [nss_get_object_send] (0x0400): [CID#6] Client [0x55e3a007a380][21]: sent cache request #7
(2022-08-24  2:02:44): [nss] [cache_req_set_name] (0x0400): [CID#6] CR #7: Setting name [abc12345]
(2022-08-24  2:02:44): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #7: Performing a multi-domain search
(2022-08-24  2:02:44): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #7: Search will check the cache and check the data provider
(2022-08-24  2:02:44): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #7: Using domain [hs-regensburg.de]
(2022-08-24  2:02:44): [nss] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #7: Preparing input data for domain [hs-regensburg.de] rules
(2022-08-24  2:02:44): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #7: Looking up [email protected]
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: Checking negative cache for [[email protected]]
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: [[email protected]] does not exist (negative cache)
(2022-08-24  2:02:44): [nss] [cache_req_process_result] (0x0400): [CID#6] CR #7: Finished: Not found
(2022-08-24  2:02:44): [nss] [client_recv] (0x0200): [CID#6] Client disconnected!

附录 3 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep abc12345

(2022-08-24  2:05:41): [nss] [nss_getby_name] (0x0400): [CID#7] Input name: abc12345
(2022-08-24  2:05:41): [nss] [cache_req_process_input] (0x0400): [CID#7] CR #8: Parsing input name [abc12345]
(2022-08-24  2:05:41): [nss] [sss_parse_name_for_domains] (0x0200): [CID#7] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:05:41): [nss] [cache_req_set_name] (0x0400): [CID#7] CR #8: Setting name [abc12345]
(2022-08-24  2:05:41): [nss] [cache_req_search_send] (0x0400): [CID#7] CR #8: Looking up [email protected]
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: Checking negative cache for [[email protected]]
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: [[email protected]] is not present in negative cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [[email protected]] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [[email protected]] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_dp] (0x0400): [CID#7] CR #8: Looking up [[email protected]] in data provider
(2022-08-24  2:05:41): [nss] [sss_dp_get_account_send] (0x0400): [CID#7] Creating request for [hs-regensburg.de][0x1][BE_REQ_USER][[email protected]:-]
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [[email protected]] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [[email protected]] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#7] CR #8: Adding [[email protected]] to negative cache
(2022-08-24  2:05:41): [nss] [sss_ncache_set_str] (0x0400): [CID#7] Adding [NCE/USER/hs-regensburg.de/[email protected]] to negative cache

答案1

看起来您想要控制 SSSD 使用什么 LDAP 属性来查找您的帐户名。

根据sssd-ldap-attributes手册页,当ldap_schema设置为rfc2307(默认值)、rfc2307bis或 时IPAldap_user_name默认为uid

ldap_schema设置为时AD(对于 Active Directory),ldap_user_name默认为sAMAccountName

因此,最简单的解决方案可能是配置您的 SSSD 实例以使用以下AD模式:

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = [email protected]
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false

我无法亲自测试这一点(我无法访问 AD 实例)。我在网上找到的大多数将 SSSD 连接到 Active Directory 后端的指南都假设您正在使用 Kerberos 身份验证,因此可能并不完全适用于这种情况,但它们可能值得一读(例如sssd-ad(5)手册页,在线文档, ETC)。

相关内容