语境
我正在尝试在 Ubuntu 18.04 机器上配置 LDAP 身份验证。
重现步骤
为了做到这一点,我遵循了以下步骤:
apt install sssd libpam-sss libnss-sss创建一个
/etc/sssd/sssd.conf包含以下内容[sssd] debug_level = 0x01E0 services = nss, pam config_file_version = 2 domains = default [nss] debug_level = 0x01E0 [pam] debug_level = 0x01E0 offline_credentials_expiration = 60 [domain/default] debug_level = 0x01E0 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=department,o=company,c=country id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://ldap.company.country ldap_default_bind_dn = cn=***,o=company,c=country ldap_default_authtok = ***** ldap_tls_reqcert = try ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=inetOrgPerson)确保只有 root 有权访问配置文件:
chown root:root /etc/sssd/sssd.conf chmod 0600 /etc/sssd/sssd.conf重启服务
sudo systemctl restart sssd确保服务正确启动:
sudo systemctl status sssd● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-01-19 08:26:45 UTC; 1h 1min ago Main PID: 24043 (sssd) Tasks: 4 (limit: 2316) CGroup: /system.slice/sssd.service ├─24043 /usr/sbin/sssd -i --logger=files ├─24064 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files ├─24070 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files └─24071 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files Jan 19 08:26:45 ubuntu1804.localdomain systemd[1]: Starting System Security Services Daemon... Jan 19 08:26:45 ubuntu1804.localdomain sssd[24043]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[be[24064]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[24070]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[24071]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain systemd[1]: Started System Security Services Daemon.
故障排除步骤
日志
当我查看日志时,一切似乎都很好:
│(Tue Jan 19 09:28:56 2021) [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)]. │
│(Tue Jan 19 09:28:56 2021) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. │
│(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service default for startup │
│(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_default,1) │
│(Tue Jan 19 09:28:56 2021) [sssd] [mark_service_as_started] (0x0100): Now starting services! │
│(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service nss for startup │
│(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service pam for startup │
│(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1) │
└(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1) │
┌(Tue Jan 19 09:28:56 2021) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)]. │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] │
│(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_dp_get_reply] (0x0100): Data Provider does not support this operation. │
└(Tue Jan 19 09:28:56 2021) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor │
┌(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ldap.company.country' in files │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'resolving name' │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ldap.company.country' in files │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ldap.company.country' in DNS │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'name resolved' │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=***,o=company,c=country │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ldap.company.country' as 'working' │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'working' │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules │
│(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [SUDO Full Refresh]: already enabled
当我尝试使用本地帐户(vagrant)登录时,身份验证正常:
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): domain: not set │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): user: vagrant │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): service: sshd │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.0.2.2 │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 24354 │
│(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): logon name: vagrant │
└(Tue Jan 19 09:39:52 2021) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. │
┌(Tue Jan 19 09:39:52 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [vagrant@default] in cache │
│(Tue Jan 19 09:39:52 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [vagrant@default] in cache
到目前为止,一切都很好...
现在,当我尝试使用 ldap 用户登录时,出现权限被拒绝错误:
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): domain: not set │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): user: jaep │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): service: sshd │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.0.2.2 │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 24480 │
│(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): logon name: jaep │
└(Tue Jan 19 09:42:27 2021) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. │
┌(Tue Jan 19 09:42:27 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [jaep@default] in cache
盖特恩
我发现了以下问题:在 ubuntu 18.04 中启用 OpenLdap 身份验证
它建议使用getent passwd列出机器上的帐户。在我的例子中,vagrant 用户出现:
vagrant:x:1000:1000:vagrant,,,:/home/vagrant:/bin/bash
但我的 ldap 用户没有出现。
看起来系统甚至没有尝试根据 LDAP 目录对我进行身份验证。
我错过了什么?如何针对 LDAP 进行身份验证?
答案1
我尝试了这个,但是我发现,直到我将这两个变量添加到 sssd.conf 中,sssd 才能够连接:
--sssd.conf--
[domain/stuff]
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_cacert = /etc/ssl/certs/my_root_ca.crt