我想使用 SSSD ldap 作为影子条目的提供程序。它似乎受支持,因为已sssd
安装的默认配置会添加sss
到passwd
和shadow
中nsswitch.conf
,但我无法获取影子条目。
测试getent passwd myuser
给了我正确的结果。getent shadow myuser
没有立即返回任何内容(似乎根本没有使用 sssd 检查)。
影子条目确实存在于 LDAP 中,并且 sssd 似乎知道这一点,因为我在日志中看到了这一点:
[sdap_attrs_add_ldap_attr] (0x2000): [RID#4] Adding pwdAttribute [....] to attributes of [myuser@domain].
不幸的是它似乎从未被使用过。
为了防止尝试通过 LDAP 绑定进行身份验证,我使用:
id_provider=ldap
auth_provider=none
不幸的是只会导致:
(2023-08-11 7:04:03): [be[okta]] [dp_pam_handler_send] (0x0100): Got request with the following data
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): domain: domain
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): user: myuser@domain
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): service: sudo-i
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): tty: /dev/pts/3
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): ruser: myuser
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): rhost:
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): priv: 1
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): cli_pid: 2368059
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): logon name: not set
(2023-08-11 7:04:03): [be[okta]] [pam_print_data] (0x0100): flags: 0
(2023-08-11 7:04:03): [be[okta]] [dp_attach_req] (0x0400): [RID#5] DP Request [PAM Authenticate #5]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2023-08-11 7:04:03): [be[okta]] [dp_attach_req] (0x0400): [RID#5] Number of active DP request: 1
(2023-08-11 7:04:03): [be[okta]] [dp_find_method] (0x0100): [RID#5] Target [auth] is not initialized
(2023-08-11 7:04:03): [be[okta]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #5]: Receiving request data.
(2023-08-11 7:04:03): [be[okta]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #5]: Request removed.
(2023-08-11 7:04:03): [be[okta]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(2023-08-11 7:04:03): [be[okta]] [sbus_issue_request_done] (0x0200): sssd.dataprovider.pamHandler: Error [1432158215]: DP target is not configured
我缺少什么配置来将用户属性公开为标准shadow
数据库?