libpam-ldapd - LDAP认证在Debian 11上不起作用
libpam-ldapd - LDAP认证在Debian 11上不起作用
提问于 2021-12-31 14:05:25
我在这里看到了关于类似问题的其他几个问题--但我还没有找到对我有用的东西。
我的目标是针对UCS (OpenLDAP)目录对所有Debian进行身份验证(主要用于SSH) --将来只有当用户是特定ldap组的成员时才能进行身份验证。但我目前还在努力使它在没有团体成员的情况下运作。
我总是会犯错误:
nslcd: [7b23c6] DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [7b23c6] DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [7b23c6] DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [7b23c6] DEBUG: ldap_unbind()
nslcd: [7b23c6] uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [7b23c6] DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [7b23c6] DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local绑定用户正在工作,我使用ldapsearch命令检查了所有内容--绑定用户的所有操作都很好,如果我使用错误的密码,调试会显示绑定函数不起作用的错误。
使用了Ldapsearch而且它正在起作用:
ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=srv_linux,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -W输出的Snip:
# test, users, securitywho.local
dn: uid=test,cn=users,dc=securitywho,dc=local
krb5MaxLife: 86400
krb5MaxRenew: 604800
uid: test
uidNumber: 2008
sn: test
gecos: test
displayName: test
homeDirectory: /home/test
loginShell: /bin/bash
mailForwardCopyToSelf: 0
cn: test
krb5PrincipalName: test@SECURITYWHO.LOCAL
shadowLastChange: 18992
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [U ]
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
objectClass: automount
objectClass: univentionPWHistory
objectClass: person
objectClass: krb5KDCEntry
objectClass: univentionObject
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionMail
objectClass: posixAccount
sambaSID: S-1-5-21-258973841-725078507-1497259816-5016
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-258973841-725078507-1497259816-513
univentionObjectType: users/user为了验证我的testuser是否正常工作,我与testuser一起运行了ldapsearch命令--这里的所有操作都是有效的。我检查了OpenLDAP目录中的几个帐户,但当我尝试使用SSH时,所有帐户都在这里工作。
ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=test,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -WConfig /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.securitywho.local
# The search base that will be used for all queries.
base cn=users,dc=securitywho,dc=local
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
bindpw
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
filter passwd (objectClass=*)
map passwd uid uid
filter shadow (objectClass=*)
map shadow uid uid完成nslcd的调试输出:
root@ipam:~# nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.11
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 117
nslcd: DEBUG: CFG: uri ldap://ldap.securitywho.local
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=*)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=*)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert demand
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.11 starting
nslcd: DEBUG: initgroups("nslcd",117) done
nslcd: DEBUG: setgid(117) done
nslcd: DEBUG: setuid(110) done
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=896662 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_pam_authc("test","sshd","***")
nslcd: [8b4567] DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("uid=srv_linux,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local")
nslcd: [8b4567] DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local
nslcd: [8b4567] DEBUG: myldap_search(base="uid=test,cn=users,dc=securitywho,dc=local", filter="(objectClass=*)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [8b4567] DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [8b4567] DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [8b4567] uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [8b4567] DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local我尝试的是使用/etc/nslcd.conf中的“搜索范围”,但没有任何组合使其工作。我目前没有看到任何配置问题-是有人有同样的问题或可以帮助我?我安装了所有的东西:
apt-get install libpam-ldapd回答 1
Server Fault用户
发布于 2022-01-01 14:36:46
几个小时后,wireshark调试显示,绑定用户的绑定请求被正确发送到ldapserver (使用简单的auth ->无加密的绑定)。但是我的测试用户没有真正的密码发送到ldap服务器,这意味着认证不一定成功。->用SSH进行的测试。
我尝试登录到本地控制台并看到,对于nslcd调试-但是/var/log/auth.log,登录现在是成功的:
Jan 1 14:01:43 ipam login[489]: pam_unix(login:auth): check pass; user unknown
Jan 1 14:01:43 ipam login[489]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Jan 1 14:01:43 ipam login[489]: pam_unix(login:account): could not identify user (from getpwnam(test))
Jan 1 14:01:43 ipam login[489]: Authentication failure但是现在一切都很好--我是怎么修好的?->重新启动。
不需要做更多的配置更改,我在inital后的配置是正确的,现在运行良好。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1088675
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号