OpenLDAP Centos 7"没有证书"当客户使用' id $ {USER}'

时间:2015-04-20 07:48:37

标签: linux ldap centos openldap

我在Centos 7(OpenLDAP 2.4.39)上设置了测试LDAP服务器和客户端。我可以在客户端上执行ldapsearch,但在运行“id $ {USER}”时无法获得正确的身份验证。似乎有些东西没有拿起正确的TLS证书(在客户端?),因为当客户端发出'id'命令时,服务器日志显示“无证书”。下面是命令输出和/etc/sssd/sssd.conf和/etc/nsswitch.conf。我错过了什么?

客户端能够使用用户dn正确执行ldapsearch:

# ldapsearch -x -H ldaps://ldapserver.xxxxxxx.com -D "uid=nssproxy,ou=users,dc=xxxxxxx,dc=com" -W  -d -1
...
tls_read: want=48, got=48
0000:  98 6b 1f 36 29 b7 2a 95  c9 88 5f 9b a5 d3 04 2e   .k.6).*..._.....
0010:  3c 04 02 a1 b6 49 1a 40  fc ad 7e ba 62 c4 db 48   <....I.@..~.b..H
0020:  16 48 31 92 6e 8d fb f8  09 8d 47 06 5d 7f 1d 67   .H1.n.....G.]..g
TLS certificate verification: subject: CN=ldapserver.xxxxxxx.com, issuer: CN=CAcert,DC=xxxxxxx,DC=com, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache\
misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
...

结果返回:

dn: uid=nssproxy,ou=users,dc=xxxxxxx,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 1003
gidNumber: 1002
userPassword:: MTIzNDU=
cn: nssproxy
sn: nssproxy
homeDirectory: /home/nssproxy
uid: nssproxy

客户端运行'id $ {USER}'命令时的服务器日志:

TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 220, cache not reusable: 0
5534a6b6 connection_read(19): unable to get TLS client DN, error=49 id=1219
5534a6b6 conn=1219 fd=19 TLS established tls_ssf=128 ssf=128
5534a6b6 daemon: activity on 1 descriptor
5534a6b6 daemon: activity on:5534a6b6
5534a6b6 daemon: epoll: listen=8 active_threads=0 tvp=zero
客户端计算机上的 /etc/sssd/sssd.conf:

# cat sssd.conf

[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default

[nss]
homedir_substring = /home
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,newsnsdc

[domain/default]
# comment out ldap_tls_reqcert also doesn't work
ldap_tls_reqcert = never
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxxxxxx,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_uri = ldaps://ldapserver.xxxxxxx.com
ldap_id_use_start_tls = False
ldap_bind_dn = uid=nssproxy,ou=users,dc=xxxxxxx,dc=com
ldap_chpass_uri = ldaps://ldapserver.xxxxxxx.com

ldap_default_authtok_type = password
ldap_default_authtok = 12345
ldap_id_use_start_tls = False

客户端上的/etc/nsswitch.conf:

# cat /etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus

1 个答案:

答案 0 :(得分:0)

找出问题所在。需要在客户端上放置ldap_default_bind_dn,因为服务器禁止匿名绑定。

相关问题
最新问题