nslcd身份验证失败,错误"查找失败:未返回任何结果"对于ldap用户

时间:2017-04-20 17:25:46

标签: linux bash ldap pam nss

我正在使用nslcd服务在SSH登录期间对ldap用户进行身份验证,并且失败并出现以下错误

nslcd:[16231b] uid = omc,ou = people,ou = accounts,dc = netact,dc = net:lookup failed:未返回任何结果

以下是ldap用户登录期间的nslcd调试日志,

nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_simple_bind_s("uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [16231b] DEBUG: connection from pid=7465 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [16231b] <authc="omc"> DEBUG: nslcd_pam_authc("omc","sshd","***")
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="ou=people,ou=accounts,dc=netact,dc=net", filter="(&(objectClass=posixAccount)(uid=omc))")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="uid=omc,ou=people,ou=accounts,dc=netact,dc=net", filter="(objectClass=*)")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_simple_bind_s("uid=omc,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [16231b] <authc="omc"> uid=omc,ou=people,ou=accounts,dc=netact,dc=net: lookup failed: No results returned
nslcd: [16231b] <authc="omc"> DEBUG: ldap_unbind()

以下是nslcd.conf:

root@NthlrAtca07> cat /etc/nslcd.conf
binddn uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net
bindpw l0T%OSUe_7m_1~F
tls_reqcert allow

uri ldap://10.91.149.148/
base ou=people,ou=accounts,dc=netact,dc=net
tls_cacertdir /etc/openldap/cacerts
map    passwd loginShell       "/usr/bin/bash"
map    passwd homeDirectory    "/home/$uid"

下面是nsswitch.conf:

root@NthlrAtca07> cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files ldap
shadow:     files ldap
group:      files ldap
#initgroups: files
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus
root@NthlrAtca07>

以下是PAM政策:

root@NthlrAtca07> cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 dcredit=-1 ocredit=-1 ucredit=0 lcredit=0 minlen=8 maxrepeat=1 maxsequence=4 reject_username
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

我看到设置正确配置,即使nslcd无法验证ldap用户。你能帮忙吗?

1 个答案:

答案 0 :(得分:2)

感谢所有想过这个问题的人。

我发现了真正的问题:

确定登录和组问题是由LDAP服务器中实现的ACI(访问控制列表)引起的。 用户&#34; uid = nea7yxpm,ou = people,ou = accounts,dc = netact,dc = net&#34;在nslcd.conf中使用的是没有读访问权限,因此在身份验证期间,上述ACI规则阻止ldap用户访问自己的信息,因此身份验证失败。

要解决此问题,我们添加了ACI规则以获得用户的读取权限,并且身份验证成功。