服务器 Gind.cn
  1. 服务器 Gind.cn
  3. NSLCD只在debugging模式下连接到LDAP服务器
Intereting Posts
当我的Mac在VPN上时,如何进入我的Ubuntu VM? 在VM上的ClearCase服务器的性能? PHPdynamic添加虚拟主机 Plesk 9.5.4上的Ruby 1.8.7 我在哪里可以获得有关公司networkingdevise对政府合同资格要求的信息? 如何处理Invision电源板(IPB)论坛垃圾邮件发送者? Bash更新到4.2后开始丢失debugging器 将Server 2012 R2“开始”菜单更改为Windows 10“开始”菜单 如何以编程方式检测机器人 如何fsck.ext3一个TrueCrypt卷? 无法将我的Red Hat 7机器添加到我们公司的Active Directory中 networking服务器上的sata超时 Windows Server 2012 R2不能使用GUI服务器pipe理器安装任何angular色或function Windows Server 2008 SP2 – >升级到2008 R2 对wwwroot(IIS6)目录中的INETUSER提供完全权限的风险

NSLCD只在debugging模式下连接到LDAP服务器

嘿家伙,我在stackexchange上search了一下,但可以find我的问题的帮助。

我正在尝试将LDAP身份validation集成到一个centos 7客户端上,但我无法正常工作,而且我找不到原因。 这是一些信息

我明确安装了centos 7

进入/etc/sysconfig/authconfig并更改 

 FORCELEGACY=no 

 FORCELEGACY=yes

所以authconfig不使用SSSD,因为我不会使用TSL / SSL为我的连接,据我所知这是使用SSSD的要求。

然后我运行authconfig-tui来填充/etc/openldap/ldap.conf 

 SASL_NOCANON on URI ldap://172.16.0.5:390 BASE dc=mosek,dc=zentyal

现在我去了/etc/nslcd.confg手动填充它 

 uid nslcd gid ldap uri ldap://172.16.0.5:390 ldap_version 3 base dc=mosek,dc=zentyal binddn cn=zentyalro,dc=mosek,dc=zentyal bindpw secret scope sub base group ou=Groups,dc=mosek,dc=zentyal base passwd ou=Users,dc=mosek,dc=zentyal base shadow ou=Users,dc=mosek,dc=zentyal ssl no

我再次运行authconfig-tui以确保nslcd拿起新的configuration

我检查了我的/etc/nsswitch.conf ,看它是否configuration正确: 

 passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus

那么我试图login,但它不会让我。 因此我查了/var/log/messeges ,发现: 

 Nov 27 12:48:01 localhost systemd: Starting Naming services LDAP client daemon.... Nov 27 12:48:01 localhost systemd: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start. Nov 27 12:48:01 localhost nslcd[10991]: version 0.8.13 starting Nov 27 12:48:01 localhost nslcd[10991]: accepting connections Nov 27 12:48:01 localhost systemd: Started Naming services LDAP client daemon.. Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:52:26 localhost nslcd[10991]: [3c9869] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected Nov 27 12:52:26 localhost nslcd[10991]: [334873] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected Nov 27 12:52:26 localhost nslcd[10991]: [b0dc51] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected Nov 27 12:54:02 localhost nslcd[10991]: [e8944a] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected Nov 27 12:54:02 localhost nslcd[10991]: [5558ec] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected Nov 27 12:54:02 localhost nslcd[10991]: [8e1f29] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected

我的/var/log/secure看起来像这样: 

 Nov 27 12:37:34 localhost sshd[10926]: Invalid user tomas from 172.16.0.179 Nov 27 12:37:34 localhost sshd[10926]: input_userauth_request: invalid user tomas [preauth] Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): check pass; user unknown Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal Nov 27 12:37:41 localhost sshd[10926]: Failed password for invalid user tomas from 172.16.0.179 port 37863 ssh2 Nov 27 12:37:44 localhost sshd[10926]: Connection closed by 172.16.0.179 [preauth] Nov 27 12:52:23 localhost sshd[11004]: Invalid user tomas from 172.16.0.179 Nov 27 12:52:23 localhost sshd[11004]: input_userauth_request: invalid user tomas [preauth] Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): check pass; user unknown Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal Nov 27 12:52:28 localhost sshd[11004]: Failed password for invalid user tomas from 172.16.0.179 port 38262 ssh2 Nov 27 12:52:30 localhost sshd[11004]: Connection closed by 172.16.0.179 [preauth] Nov 27 12:53:59 localhost sshd[11014]: Invalid user tomas from 172.16.0.179 Nov 27 12:53:59 localhost sshd[11014]: input_userauth_request: invalid user tomas [preauth] Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): check pass; user unknown Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal Nov 27 12:54:04 localhost sshd[11014]: Failed password for invalid user tomas from 172.16.0.179 port 38274 ssh2 Nov 27 12:54:06 localhost sshd[11014]: Connection closed by 172.16.0.179 [preauth] Nov 27 13:18:38 localhost unix_chkpwd[11120]: check pass; user unknown Nov 27 13:18:38 localhost unix_chkpwd[11120]: password check failed for user (tomas) Nov 27 13:18:38 localhost sshd[11118]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas Nov 27 13:18:38 localhost unix_chkpwd[11121]: could not obtain user info (tomas) Nov 27 13:18:38 localhost sshd[11118]: Failed password for tomas from 172.16.0.179 port 38466 ssh2 Nov 27 13:18:38 localhost sshd[11118]: fatal: Access denied for user tomas by PAM account configuration [preauth] Nov 27 13:22:09 localhost unix_chkpwd[11143]: check pass; user unknown Nov 27 13:22:09 localhost unix_chkpwd[11143]: password check failed for user (tomas) Nov 27 13:22:09 localhost sshd[11141]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas Nov 27 13:22:09 localhost unix_chkpwd[11144]: could not obtain user info (tomas) Nov 27 13:22:09 localhost sshd[11141]: Failed password for tomas from 172.16.0.179 port 38501 ssh2 Nov 27 13:22:09 localhost sshd[11141]: fatal: Access denied for user tomas by PAM account configuration [preauth]

而我发现真的很奇怪,因为我有一个Ubuntu客户端,连接就好,到那个地址:172.16.0.5:390

我尝试在debugging模式下运行nslcd ,我试图再次login,我只是疯了,当我尝试login: 

 $ ssh tomas@centosy tomas@centosy's password: Connection closed by 172.16.0.188 
 nslcd: [8b4567] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [8b4567] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [8b4567] <passwd="tomas"> (re)loading /etc/nsswitch.conf nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [7b23c6] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Groups,dc=mosek,dc=zentyal", filter="(&(objectClass=posixGroup)(|(memberUid=tomas)(member=uid=tomas,ou=Users,dc=mosek,dc=zentyal)))") nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=__USERS__,ou=Groups,dc=mosek,dc=zentyal nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=Domain Admins,ou=Groups,dc=mosek,dc=zentyal nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=staff,ou=Groups,dc=mosek,dc=zentyal nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=admins,ou=Groups,dc=mosek,dc=zentyal nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): end of results (4 total) nslcd: [3c9869] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [3c9869] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [334873] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [334873] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [b0dc51] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [b0dc51] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [495cff] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [495cff] <authc="tomas"> DEBUG: nslcd_pam_authc("tomas","sshd","***") nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="uid=tomas,ou=Users,dc=mosek,dc=zentyal", filter="(objectClass=*)") nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("uid=tomas,ou=Users,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [495cff] <authc="tomas"> DEBUG: ldap_unbind() nslcd: [495cff] <authc="tomas"> DEBUG: bind successful nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))") nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [e8944a] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [e8944a] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [5558ec] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [5558ec] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total) nslcd: [8e1f29] DEBUG: connection from pid=11118 uid=0 gid=0 nslcd: [8e1f29] <authz="tomas"> DEBUG: nslcd_pam_authz("tomas","sshd","","harbinger.mosek.zentyal","ssh") nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))") nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_rebind_proc() nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390") nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))") nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal

它就像nslcd只能在debugging模式下联系ldap服务器。 当我尝试启动nslcd时失败,因为它不能联系服务器,但正如你所看到的,当它在debugging模式下,它连接就好了。

什么可能是错的?

这就是我们的方式,所以要警告,这可能不适用于您的设置。

几点注意事项:

  • 我们的服务器有一个有效的CA签名证书,如果你的自签名证书(坏(tm)),一定要修改ldap_tls_cacert

  • 我们使用LDAP来提供sudo规则,如果你不想要的话,就把它留下。

  • 您可能也想要设置ldap_group_search_baseldap_search_base ,以将sssd的search限制为sssd有效的用户/组。 ldap_sudo_search_base

  • 确保将ldap_user_member_of设置为与用户端的目录服务器的组成员资格属性相匹配。 (这是eDirectory的groupmembership

  • 一定要设置ldap_access_filter来限制对系统的访问。 否则,所有有效的用户都可以login到您的方框。

  • 在login过程的sssdPAM侧查找错误之前,检查用户的LDAP数据。

  • 确保/etc/sssd/sssd.conf的权限设置为0600

在我们的例子中,我的用户具有为LDAPlogin设置的这些属性: 

 objectClass: posixAccount groupMembership: cn=group1,... groupMembership: cn=group2,... uid: fuero uidNumber: 10000 gidNumber: 19999 homeDirectory: /home/fuero

/etc/sssd/sssd.conf 

 [domain/default] id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps://your.ldap-server.tld:636 ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=your-bind-user ldap_default_authtok_type = obfuscated_password ldap_default_authtok = your_password_hash ldap_schema = rfc2307bis cache_credentials = false enumerate = false [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh]

设置nsswitch.conf以使用sssd

 # grep sss /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss services: files sss netgroup: files sss sudoers: files sss

校验: 

 # id fuero uid=100000(fuero) gid=19999(users) groups=20000(group1),20000(group2)

设置PAM /etc/pam.d/system-auth-ac

 #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass **auth sufficient pam_sss.so use_first_pass** auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so **account [default=bad success=ok user_unknown=ignore] pam_sss.so** account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so **session optional pam_sss.so session required pam_mkhomedir.so umask=0077**

罪魁祸首似乎是systemd。 尝试运行nslcd自己将看到它的工作。

当您使用systemctl启动nslcd时,当您尝试查询nslcd时,它会产生一个新的进程。 在消息中我看到: 

 Dec 3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> problem closing server socket (ignored): Bad file descriptor Dec 3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> version 0.8.13 bailing out

我不明白的根本原因,但systemctl与它有关。

我有另一个系统在这之前build立和正在工作,systemctl是systemd-208-11.el7_0.2.x86_64,而不工作的新系统是systemd-208-11.el7_0.4.x86_64。

我解决了这个问题

我刚进入/etc/selinux/config并禁用了selinux,并设置了SELINUX=disabled

我做了一个快速重启,我可以login,没有问题