实验室(VM)的全新 Debian 12。我安装了:slapd、phpldapadmin、nslcd、nscd 和依赖项。我有两个本地帐户:root 和 user1。此外,我在本地 LDAP 服务器上只有 user1 POSIX 帐户。我可以通过 passwd 更改 user1 的密码。密码在 LDAP 服务器和 shadow-file 中都会更改。我可以通过 ssh 以 root 和 user1 身份登录。
我无法通过 passwd 更改 root 的密码,因为在我调用该程序后:
passwd: Authentication token manipulation error
passwd: password unchanged
无需输入密码(当前或新密码)。
如果 LDAP 服务器上没有 root 帐户,如何更改本地 root 密码?
这是 passwd 的正确结果还是某些配置错误?
这是我的配置:
nslcd.conf:
uid nslcd
gid nslcd
uri ldap://127.0.0.1/
base dc=debian,dc=valhalla,dc=**,dc=**
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nscd.conf:
debug-level 0
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
enable-cache services yes
positive-time-to-live services 28800
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes
max-db-size services 33554432
enable-cache netgroup yes
positive-time-to-live netgroup 28800
negative-time-to-live netgroup 20
suggested-size netgroup 211
check-files netgroup yes
persistent netgroup yes
shared netgroup yes
max-db-size netgroup 33554432
nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
普通账户:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
通用身份验证:
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
通用密码:
password required pam_unix.so obscure yescrypt
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password requisite pam_deny.so
password required pam_permit.so
公共会话:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
session optional pam_systemd.so
答案1
我回答自己:错误出现在以下几行:
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password requisite pam_deny.so
Root (UID=0) 无法满足这些规则 (minimum_uid),因此 pam_deny.so 结果导致此模块失败 (“身份验证令牌操作错误”)。如果 root 在 openldap 中没有帐户,则必须跳过 pam_ldap 和 pam_deny:
password required pam_unix.so obscure yescrypt audit
password [success=2 default=ignore] pam_rootok.so
password [success=1 new_authtok_reqd=ok ignore=ignore default=bad] pam_ldap.so minimum_uid=1000 debug try_first_pass
password requisite pam_deny.so
password required pam_permit.so