我正在使用nslcd服务在SSH登录期间对ldap用户进行身份验证,并且失败并出现以下错误
nslcd:[16231b] uid = omc,ou = people,ou = accounts,dc = netact,dc = net:lookup failed:未返回任何结果
以下是ldap用户登录期间的nslcd调试日志,
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_simple_bind_s("uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [16231b] DEBUG: connection from pid=7465 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [16231b] <authc="omc"> DEBUG: nslcd_pam_authc("omc","sshd","***")
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="ou=people,ou=accounts,dc=netact,dc=net", filter="(&(objectClass=posixAccount)(uid=omc))")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="uid=omc,ou=people,ou=accounts,dc=netact,dc=net", filter="(objectClass=*)")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_simple_bind_s("uid=omc,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [16231b] <authc="omc"> uid=omc,ou=people,ou=accounts,dc=netact,dc=net: lookup failed: No results returned
nslcd: [16231b] <authc="omc"> DEBUG: ldap_unbind()
以下是nslcd.conf:
root@NthlrAtca07> cat /etc/nslcd.conf
binddn uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net
bindpw l0T%OSUe_7m_1~F
tls_reqcert allow
uri ldap://10.91.149.148/
base ou=people,ou=accounts,dc=netact,dc=net
tls_cacertdir /etc/openldap/cacerts
map passwd loginShell "/usr/bin/bash"
map passwd homeDirectory "/home/$uid"
下面是nsswitch.conf:
root@NthlrAtca07> cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
root@NthlrAtca07>
以下是PAM政策:
root@NthlrAtca07> cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 dcredit=-1 ocredit=-1 ucredit=0 lcredit=0 minlen=8 maxrepeat=1 maxsequence=4 reject_username
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
我看到设置正确配置,即使nslcd无法验证ldap用户。你能帮忙吗?
答案 0 :(得分:2)
感谢所有想过这个问题的人。
我发现了真正的问题:
确定登录和组问题是由LDAP服务器中实现的ACI(访问控制列表)引起的。 用户&#34; uid = nea7yxpm,ou = people,ou = accounts,dc = netact,dc = net&#34;在nslcd.conf中使用的是没有读访问权限,因此在身份验证期间,上述ACI规则阻止ldap用户访问自己的信息,因此身份验证失败。
要解决此问题,我们添加了ACI规则以获得用户的读取权限,并且身份验证成功。