我将RHEL6用户帐户从传统的/ etc / passwd,/ etc / shadow和/ etc / group文件迁移到OpenLDAP。 但是,由于错误的用户密码错误,尝试以已迁移的用户身份login不起作用:
示例(删除)/ etc / passwd行:
leopetr:x:1005:1005:Leo Petr:/mnt/home/leopetr:/bin/bash 示例(删除)/ etc / shadow行:
leopetr:$6$+7sZw4ID$CyLfaFeo.aDn1Xd5.MCBWXDm131CIOPExg0hgUQb4sdInuXIf4IBU8LxJo7Hz144uIp3nYB6cmnIzLAyI6fzr.:16205:0:99999:7:::
(哈希值对应于一个未授权帐户随机生成的密码。)
使用OpenLDAP转换工具生成的LDIF示例:
dn: uid=leopetr,ou=People,dc=imdemocloud,dc=com uid: leopetr cn: Leo Petr objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$+7sZw4ID$CyLfaFeo.aDn1Xd5.MCBWXDm131CIOPExg0hgUQb4sdInuXIf4IBU8LxJo7Hz144uIp3nYB6cmnIzLAyI6fzr. shadowLastChange: 16205 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1005 gidNumber: 1005 homeDirectory: /mnt/home/leopetr gecos: Leo Petr
我可以su -以root身份su -该用户帐户,所以用户logging可以在LDAP中访问。 但是,我无法以该用户身份login。 例:
$ su - leopetr Password: su: incorrect password
为什么密码不工作?
{crypt}是sha-512密码哈希的正确前缀吗?
userPassword密码哈希的正确的LDAP字段?
编辑 : /etc/pam.d/su
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
/etc/pam.d/system-auth :
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so
/etc/sssd/sssd.conf :
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LOCAL,LDAP [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/LDAP] cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldaps://my_hostname.my_domain.com ldap_search_base = dc=my_domain,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = never ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
/etc/nsswitch.conf :
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss ldap shadow: files sss ldap group: files sss ldap #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files sss ldap aliases: files nisplus
另外,这里是我使用的authconfig命令:
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth \ --ldapserver=ldaps://my_hostname.my_domain.com:636 --disableldaptls \ --ldapbasedn=dc=my_domain,dc=com \ --enablerfc2307bis --enablemkhomedir --enablecachecreds --update authconfig --update --enablesssd --enablesssdauth authconfig --enablesssd --update
不,用于SHA-512的正确标签是{SHA-512}但您必须启用一个模块并将叠加层应用于您的数据数据库。
为什么不简单地生成用户密码:
sudo ldappasswd -H ldapi:/// -Y EXTERNAL uid=leopetr,ou=People,dc=imdemocloud,dc=com -s secret
如果您想要预设密码(对于ldif ldapmodify插入),请查看slappasswd ,这是一种以正确的格式生成密码的工具。
是的, userPassword 。