我正在尝试在 Ubuntu Server 14.04 LTS 和客户端(Ubuntu 14.04 和/或 Linux Mint 17)上配置 OpenLDAP。它可以使用 su 命令、ssh 或终端,但在登录屏幕上不起作用。安装后,我可以在登录屏幕上看到 LDAP 用户,但几分钟后,只有本地用户可用。/var/log/auth.log 给我:
Feb 17 21:33:50 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:50 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:50 PC1 sh: nss_ldap: reconnecting to LDAP server...
Feb 17 21:33:50 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:50 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:50 PC1 sh: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: could not search LDAP server - Server is unavailable
Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: reconnecting to LDAP server...
Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:51 PC1 sh: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb 17 21:33:52 PC1 sshd[968]: Server listening on 0.0.0.0 port 22.
Feb 17 21:33:52 PC1 sshd[968]: Server listening on :: port 22.
Feb 17 21:33:52 PC1 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Feb 17 21:33:52 PC1 lightdm: PAM adding faulty module: pam_kwallet.so
Feb 17 21:33:52 PC1 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Feb 17 21:33:52 PC1 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Feb 17 21:33:52 PC1 lightdm: PAM adding faulty module: pam_kwallet.so
Feb 17 21:33:52 PC1 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "adminlocal"
Feb 17 21:33:52 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server
Feb 17 21:33:52 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server
Feb 17 21:33:52 PC1 sh: nss_ldap: could not search LDAP server - Server is unavailable
Feb 17 21:33:54 PC1 dbus[431]: [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.42" (uid=0 pid=1518 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(un$
Feb 17 21:34:04 PC1 dbus[431]: [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.42" (uid=0 pid=1518 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(un$
Feb 17 21:34:18 PC1 sshd[1728]: Accepted password for adminlocal from 192.168.0.53 port 61914 ssh2
Feb 17 21:34:18 PC1 sshd[1728]: pam_unix(sshd:session): session opened for user adminlocal by (uid=0)
Feb 17 21:34:44 PC1 sudo: pam_unix(sudo:auth): authentication failure; logname=adminlocal uid=1000 euid=0 tty=/dev/pts/1 ruser=adminlocal rhost= user=adminlocal
Feb 17 21:34:49 PC1 sudo: adminlocal : TTY=pts/1 ; PWD=/home/adminlocal ; USER=root ; COMMAND=/usr/bin/nano /var/log/nscd.log
Feb 17 21:34:49 PC1 sudo: pam_unix(sudo:session): session opened for user root by adminlocal(uid=0)
Feb 17 21:34:51 PC1 sudo: pam_unix(sudo:session): session closed for user root
Getent passwd 显示 ldap 用户,所以我认为这是一个 lightdm 问题...我尝试了几个指南,但没有成功。有人遇到同样的情况吗?我该怎么办?非常感谢。Florent
重现步骤
修复静态 IP:
sudo nano /etc/network/interfaces
[…]
auto eth0
iface eth0 inet static
address 192.168.0.22
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.254
dns-nameservers 8.8.8.8
安装 LDAP
sudo apt-get install slapd ldap-utils
sudo dpkg-reconfigure slapd
不
示例.com
示例公司
密码 x2
HDB、否、是、否(默认值)
安装 phpldapadmin(也尝试使用 ldif 文件)
sudo apt-get install phpldapadmin
sudo nano /etc/phpldapadmin/config.php
[line 161]
$config->custom->appearance['hide_template_warning'] = true;
[...]
$servers->setValue('server','host','192.168.0.22');
[...]
$servers->setValue('server','base',array('dc=aldarim,dc=local'));
[...]
$servers->setValue('login','bind_id','cn=admin,dc=aldarim,dc=local');
sudo nano /usr/share/phpldapadmin/lib/TemplateRender.php
[Line 2469]
$default = $this->getServer()->getValue('appearance','password_hash_custom');
配置 LDAP
http://192.168.0.22/phpldapadmin
- 制作 2 个通用的:组织单位 => 团体和人员
- 在 Groups 下,创建 2 个 Posix Group => admin 和 employees
- 在“人员”下,让用户
在服务器上安装 ldap 客户端
sudo apt-get install libpam-ldap nscd
ldap://127.0.0.1
dc=示例,dc=com
3、是、否(默认值)
cn=admin,dc=示例,dc=com
管理员密码
nano /etc/nsswitch.conf
[...]
passwd: compat ldap
group: compat ldap
shadow: compat ldap
[...]
sudo reboot
客户端配置
sudo apt-get install libpam-ldap nscd
ldap://192.168.0.22
dc=示例,dc=com
3、是、否(默认值)
cn=admin,dc=示例,dc=com
管理员密码
nano /etc/nsswitch.conf
[...]
passwd: compat ldap
group: compat ldap
shadow: compat ldap
[...]
sudo reboot
替代客户端配置:
sudo apt-get install libnss-ldap ldap-auth-config
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update
同样的错误...
答案1
问题在于您的配置不同。dc 必须与域匹配example.com
,但在 phpldapadmin 中,您将 dc 配置为aldarim.local
。以下是您的设置:
LDAP 配置:
- 不
- 示例.com
- 示例公司
- 密码 x2
- HDB、否、是、否(默认值)
和 phpldapadmin 配置:
sudo nano /etc/phpldapadmin/config.php
[line 161]
$config->custom->appearance['hide_template_warning'] = true;
[...]
$servers->setValue('server','host','192.168.0.22');
[...]
$servers->setValue('server','base',array('dc=aldarim,dc=local'));
[...]
$servers->setValue('login','bind_id','cn=admin,dc=aldarim,dc=local');
下面是域名如何匹配的示例,即使你使用 IP 地址:请参阅本教程这意味着你可以输入任何你想要的内容,但两个设置必须匹配。
将您的 LDAP 配置更改为使用aldarim.local
并致电公司 aldarim,您应该没问题。或者将以下几行更改为使用example.com
$servers->setValue('server','base',array('dc=example,dc=com'));
[...]
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
不管怎样,它们必须匹配。