我正在使用nslcd服务在SSHlogin过程中对ldap用户进行身份validation,并且出现以下错误
nslcd:[16231b] uid = omc,ou = people,ou = accounts,dc = netact,dc = net:lookup failed:No results returned
下面是ldap用户login过程中的nslcddebugging日志,
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_rebind_proc() nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_simple_bind_s("uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/") nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): end of results (1 total) nslcd: [16231b] DEBUG: connection from pid=7465 uid=0 gid=0 nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [16231b] <authc="omc"> DEBUG: nslcd_pam_authc("omc","sshd","***") nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="ou=people,ou=accounts,dc=netact,dc=net", filter="(&(objectClass=posixAccount)(uid=omc))") nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="uid=omc,ou=people,ou=accounts,dc=netact,dc=net", filter="(objectClass=*)") nslcd: [16231b] <authc="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_rebind_proc() nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [16231b] <authc="omc"> DEBUG: ldap_simple_bind_s("uid=omc,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/") nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): end of results (0 total) nslcd: [16231b] <authc="omc"> uid=omc,ou=people,ou=accounts,dc=netact,dc=net: lookup failed: No results returned nslcd: [16231b] <authc="omc"> DEBUG: ldap_unbind()
以下是nslcd.conf:
root@NthlrAtca07> cat /etc/nslcd.conf binddn uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net bindpw l0T%OSUe_7m_1~F tls_reqcert allow uri ldap://10.91.149.148/ base ou=people,ou=accounts,dc=netact,dc=net tls_cacertdir /etc/openldap/cacerts map passwd loginShell "/usr/bin/bash" map passwd homeDirectory "/home/$uid"
下面是nsswitch.conf:
root@NthlrAtca07> cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus root@NthlrAtca07>
以下是PAM政策:
root@NthlrAtca07> cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 dcredit=-1 ocredit=-1 ucredit=0 lcredit=0 minlen=8 maxrepeat=1 maxsequence=4 reject_username password sufficient pam_unix.so md5 shadow try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
我看到设置configuration正确,即使那么nslcd无法validationldap用户。 你能帮忙吗?
感谢所有对这个问题有所思考的人。
我发现真正的问题:
确定登录和组问题是由于在LDAP服务器中实施的ACI(访问控制列表)。 在nslcd.conf中使用的用户“uid = nea7yxpm,ou = people,ou = accounts,dc = netact,dc = net”没有读权限,因此在认证过程中,上述ACI规则阻止ldap用户访问自己的信息因此认证失败。
为了解决这个问题,添加了ACI规则以具有对用户的读取权限,并且认证成功。