服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ldapsearch返回结果,但getent不
Intereting Posts
使用iptables转发sftp? HAproxy当前会话为零 Novell集群问题 思科RV016双WAN和VPN设置 主机名和完全限定的域名有什么区别? 添加整个300 GB的文件系统到Git Annex库? SAS-2 6Gbps最大磁盘容量 “客户端pipe理程序”和pipe理程序有什么区别? php.ini的变化没有任何影响 Zimbra重buildredolog文件夹 networking共享DNS更改后不可用 什么应该是电子邮件服务器的反向DNS? Nginx websocket 502坏的网关 有没有人有LeftHand的VSA SAN的经验? 为什么我得到权限被拒绝的错误?

ldapsearch返回结果,但getent不

我正在设置一台全新的CentOS 7服务器,并且需要设置LDAP身份validation,也就是说,已经存在一个服务器来对用户进行身份validation,我们将其用于其他GNU / Linux服务器。

例如,在Windows中,我可以使用nltest /dclist:XY来查询DC的主机名和IP。 哪个返回我可以确认的DC服务器列表是正确的。

当我使用CentOS 7服务器上的ldapsearchtesting连接到这些DC服务器时,它的工作原理是: 

 ldapsearch -H ldap://<DCSERVER> -D <user>@XY -w

输出是一个很长的信息列表,包括DN信息。

但是,当使用getent passwd ,没有输出,并且在/ var / log / messages中看到错误: 

 Nov 24 16:09:37 XXXXXXXX nslcd[22440]: [16e9e8] <passwd(all)> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C09072B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

getent password在其他CentOS 6服务器上工作良好,但是他们使用的是BeyondTrust,我想从中迁移出去,而且在安装时我不是pipe理员。

相关的configuration文件:

/etc/openldap/ldap.conf包含: 

 # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/pki/tls/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://<DCSERVER> BASE DC=X,DC=Y

/etc/nsswitch.conf连接: 

 # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus

/etc/nslcd.conf包含: 

 # This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. uid nslcd gid ldap # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldap://<DCSERVER> # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. base DC=X,DC=Y # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com

在此先感谢您的帮助。

这是不匹配的:如果你检查sssd日志,你正在使用sssd守护进程。 但是,你应该在文件中configuration它: 

 /etc/sssd/sssd.conf

不在/etc/nslcd.conf(适用于pam-ldapd守护进程)。

此外:

  1. sssd.conf和nslcd.conf的语法是非常不同的;
  2. 在/etc/nsswitch.conf中,sssd守护进程使用'sss'键(而不是'ldap')引用。

我无法完全解决这个问题。

但是,检查/var/log/sssd/sssd_DOMAIN.log显示SSS正在工作,但是可能与指定DN不正确有关? 

 (Tue Nov 25 16:21:16 2014) [sssd[be[LDI.LAN]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Nov 25 16:21:16 2014) [sssd[be[LDI.LAN]]] [sdap_process_result] (0x2000): Trace: sh[0x7fc9553ddde0], connected[1], ops[0x7fc9553ed2c0], ldap[0x7fc9553d0cb0] (Tue Nov 25 16:21:16 2014) [sssd[be[LDI.LAN]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Nov 25 16:21:16 2014) [sssd[be[LDI.LAN]]] [sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C090724, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0

最后,我select了Beyond Trust的开源PBIS。 在几分钟内工作。

http://www.beyondtrust.com/Resources/OpenSourceDocumentation/