我有一台 RHEL 主机。我已将 sssd 配置为连接到 ldap 服务器。ldap 用户无法远程连接到主机。但是,只要我执行 su - username,它就会正常工作。但如果用户尝试通过 ssh 登录,它就不起作用。我收到权限被拒绝的消息。我使用 ssh 密钥以 root 身份登录到服务器以进行配置并重新启动 sssd。以下是 /etc/sssd/sssd.conf 文件。
[domain/example.com]
autofs_provider = ldap
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = ad
ldap_referrals = False
ldap_uri = ldaps://ad.example.com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_cacert = /etc/ssl/certs/myldap.pem
ad_access_filter = (&(memberOf=CN=webexample,OU=example groups,DC=example,DC=com)(unixHomeDirectory=*))
ldap_default_bind_dn = CN=webexample,OU=Generics,OU=example Users,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_pwd_policy = none
ldap_search_base = DC=example,DC=com
ldap_group_search_base = OU=example groups,DC=example,DC=com
ldap_user_search_base = OU=Employees,OU=example users,DC=example,DC=com
ldap_user_search_scope = sub
cache_credentials = true
account_cache_expiration = 7
entry_cache_timeout = 3600
enumerate = false
ldap_network_timeout = 3
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
override_gid = 55999
ldap_id_mapping = true
ldap_user_object_class = person
ldap_user_name = cn
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_extra_attrs = mail, givenname, sn, displayname
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member
ldap_user_member_of = memberOf
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
debug_timestamps = true
services = nss, pam
domains = example.com
[nss]
filter_groups = root
filter_users = root
vetoed_shells = /bin/csh,/bin/zsh,/bin/ksh,/bin/tcsh,bin/sh
shell_fallback = /bin/bash
override_homedir = /home/%u
[pam]
offline_credentials_expiration = 3
[sudo]
[autofs]
[ssh]
[pac]
[secrets]
当我重新启动 sssd 时,我收到了 ssl 错误消息。
Could not start TLS encryption. error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)