升级到CentOS 7后,无法再通过LDAP登录.使用CentOS 6我使用了包pam_ldap,它工作正常,但现在pam_ldap不再适用于新版本的CentOS.
通过ldapsearch连接仍然可以正常工作,但尝试通过ssh进行身份验证不起作用.
我重新安装了包nss-pam-ldapd并通过authconfig-tui重新配置了身份验证,但它仍然无效.
下面我用user.name替换我的用户名,用dc = sub替换我的用户名,dc = example,dc = org.
我的主机操作系统是CentOS 7.安装了所有当前可用的更新.
$uname -a Linux isfet 3.10.0-123.8.1.el7.x86_64 #1 SMP Mon Sep 22 19:06:58 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
已安装的包裹
$rpm -qa | grep -i ldap openldap-2.4.39-3.el7.x86_64 nss-pam-ldapd-0.8.13-8.el7.x86_64 openldap-clients-2.4.39-3.el7.x86_64
/etc/openldap/ldap.conf的内容
URI ldap://172.16.64.25 BASE dc=sub,dc=example,dc=org
/etc/nslcd.conf的内容
ldap_version 3 uri ldap://172.16.64.25 base dc=sub,dc=org ssl no
输出/ var / log / secure
Oct 6 12:12:16 isfet sshd[3937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.64.1 user=user.name Oct 6 12:12:17 isfet sshd[3937]: Failed password for user.name from 172.16.64.1 port 18877 ssh2
输出/var/log/audit/audit.log
type=USER_AUTH msg=audit(1412590243.286:364): pid=3912 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="user.name" exe="/usr/sbin/sshd" hostname=172.16.64.1 addr=172.16.64.1 terminal=ssh res=Failed' type=USER_AUTH msg=audit(1412590243.287:365): pid=3912 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="user.name" exe="/usr/sbin/sshd" hostname=? addr=172.16.64.1 terminal=ssh res=Failed'
输出命令ldapserach
$ldapsearch -H ldap://172.16.64.25/ -D cn=Manager,dc=sub,dc=org -W -x -b dc=sub,dc=org -d1
ldap_url_parse_ext(ldap://172.16.64.25/)
ldap_create
ldap_url_parse_ext(ldap://172.16.64.25:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.16.64.25:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.64.25:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 61 bytes to sd 3
ldap_result ld 0x7f9b07402110 msgid 1
wait4msg ld 0x7f9b07402110 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f9b07402110 msgid 1 all 1
** ld 0x7f9b07402110 Connections:
* host: 172.16.64.25 port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Oct 6 12:04:38 2014
** ld 0x7f9b07402110 Outstanding Requests:
* msgid 1,origid 1,status InProgress
outstanding referrals 0,parent count 0
ld 0x7f9b07402110 request count 1 (abandoned 0)
** ld 0x7f9b07402110 Response Queue:
Empty
ld 0x7f9b07402110 response count 0
ldap_chkResponseList ld 0x7f9b07402110 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f9b07402110 NULL
ldap_int_select
read1msg: ld 0x7f9b07402110 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x7f9b07402110 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f9b07402110 0 new referrals
read1msg: mark request completed,ld 0x7f9b07402110 msgid 1
request done: ld 0x7f9b07402110 msgid 1
res_errno: 0,res_error: <>,res_matched: <cn=Manager,dc=org>
ldap_free_request (origid 1,msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Success (0)
matched DN: cn=Manager,dc=org
...
_ / etc / pam.d / password-auth的内容
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unkNown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
_ / etc / pam.d / system-auth的内容
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unkNown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
在调试模式下运行nslcd会显示问题:
$$(which nslcd) -d ... nslcd: [8b4567] <authc="user.name"> DEBUG: myldap_search(base="dc=sub,dc=org",filter="(&(objectClass=posixAccount)(uid=user.name))") ... nslcd: [8b4567] <authc="user.name"> DEBUG: ldap_result(): end of results (0 total) nslcd: [8b4567] <authc="user.name"> DEBUG: "user.name": user not found: No such object ...
nslcd默认设置过滤器.无法删除此过滤器或将其设置为空白.
因为我的LDAP用户都没有名为posixAccount的objectClass,所以无法找到用户并拒绝登录.
要解决这个问题,我不得不用自己的过滤器覆盖这个过滤器.因为我正在寻找uid,所以有必要在一个被搜索的属性上设置过滤器.
我的/etc/nslcd.conf的新内容:
filter passwd (uid=*) uri ldap://172.16.64.25 base dc=sub,dc=org ssl no
更改nslcd.conf后,我不得不重启服务nslcd:systemctl restart nslcd
资料来源:http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00025.html
.
这似乎是CentOS 7上_nss-pam-ldapd-0.8.13-8.el7.x86_64_的问题!
$nslcd -V nss-pam-ldapd 0.8.13
我尝试在CentOS 6上重现这个问题,但是在这个nss-pam-ldapd上依赖于pam_ldap,它在/etc/pam_ldap.conf中有配置文件,似乎没有像工作方式那样使用/etc/nslcd.conf在CentOS 7上.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
