我在CentOs 7上configuration了LDAP ,现在我正在尝试configuration外部用户身份validation 。 浏览我发现这个: https : //www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-pam.html是CentOS 5。
另外在其他网站上说,你可以访问以下testing :
ssh my_LDAP_user@LDAP_hostname_or_IP:389 但是对我不起作用。 CentOS抛出我错误:
ssh: Could not resolve hostname hostname:389: Name or service not known
当我尝试没有389,“权限被拒绝”, 我input正确的密码 :
[root@localhost openldap]# ssh lolo@hostname lolo@hostname's password: Permission denied, please try again.
你知道有什么提示或指导线从这个洞中移动一点点吗? 提前致谢!
编辑:
这个想法是从外部login到LDAP。 我必须检查一切是否正常。 你能帮我做一些指导吗?
nslcd服务日志:
gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> failed to bind to LDAP server ldap://ldap.192.168.150.105:389/: Can't contact LDAP server gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> no available LDAP server found: Can't contact LDAP server
authconfig –test:
[root@localhost openldap]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.150.105/" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "#" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.150.105/" LDAP base DN = "dc=example,dc=com" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled
可能的主要问题是Authenticate system accounts against network services is disabled在最后一行的authconfig --test Authenticate system accounts against network services is disabled ? 在一些教程中出现,但不是一个问题: – /
给你的一些build议:
– 禁用selinux并重启
# vi /etc/selinux/config selinux=disabled
– 停止iptables
# systemctl stop iptables.service
– 你是否创build了一个ldap用户? (试试以下指南http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=2 )
– 编辑/ etc / ssh / sshd_conf
PermitRootLogin yes UsePAM yes
– 将日志检入/ var / log / secure
我面临着和你一样的问题,当我看到你的post,我没有线索解决这个问题,但现在我解决了我的问题。 这是我的解决scheme:
如果您以前没有安装,请安装nss-pam-ldapd :
[root@www ~]# yum -y install nss-pam-ldapd
禁用selinux并重启:
[root@ldap ~]# vi /etc/selinux/config
改变这一行: selinux=disabled
执行authconfig :
#ldapserver=(LDAP server's hostname or IP address) #ldapbasedn="dc=(your own domain name)" [root@ldap ~]# authconfig --enableldap \ --enableldapauth \ --ldapserver=my.domain.world \ --ldapbasedn="dc=my,dc=domain,dc=world" \ --enablemkhomedir \ --update getsebool: SELinux is disabled
如果您为LDAP使用TLS,请不要忘记执行此操作:
[root@ldap ~]# authconfig --enableldaptls --update getsebool: SELinux is disabled
也许我的解决scheme也可以是你的解决scheme :d