nss_ldap 无法绑定到 LDAP 服务器

tag-icon tag-icon ldap pam ubuntu-20.04 pam-ldap
nss_ldap 无法绑定到 LDAP 服务器

我已使用 nss_ldap 配置了 ldap 客户端(ubuntu 20.04)以连接 ldap 服务器并接受特定组中的用户,似乎一切正常,客户端可以访问 ldap 服务器,ldap 用户可以访问客户端计算机。但是,当客户端连接到 ldap 服务器时,我收到以下错误消息:

systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable

这是我的配置文件:

/etc/ldap.conf 关于该参数(nss_initgroups_ignoreusers)是自动生成的。

# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data

/etc/ldap.secret--> 包含密码。

/etc/nsswitch.conf

passwd:         files ldap systemd
group:          files ldap systemd
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
session required    pam_mkhomedir.so skel=/etc/skel umask=0022

/etc/security/access.conf

added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]

sshd 配置文件--> 取消注释以下行:

 account  required     pam_access.so

注意:我也使用 ldapsearch 测试了连接并且它可以工作。

我尝试更改 nsswitch.conf 文件或重新安装 nss_ldap 客户端,但一切正常,但仍然收到相同的错误。

相关内容