服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法通过PAM和ldaplogin:无法获取密码
Intereting Posts
更改Windows域用户名 caching一个WordPress网站 / etc / hosts文件为多宿主,多域的机器? 基于URL的NAT可以使用端口80吗? 如何解决启动黑屏(无video)? 在exim.config文件中找不到received_header_text 带有WSUS更新和本地组策略的无人参与Windows服务器2012R2 GPO:从两个位置的文件夹redirect:获取个人文件夹两次? php-fpm php_network_getaddresses调用随机启动失败,坏udp cksum 停止Windows域环境caching旧密码? 在哪里挂载共享数据FS? 如何使用Win7和Win2008R2代理和encryption所有的互联网stream量? 使用telnet命令的原因是什么? Windows服务器在计划更新后自动重启 pbs检查一个工作使用了多lesscpu / job%cpu使用率

无法通过PAM和ldaplogin:无法获取密码

我试图让OpenVPN通过LDAP将用户通过PAMauthentication到Active Directory服务器。

以下是我的configuration文件的相关部分:

/etc/openvpn/server.conf

# ... plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so ldap-login

/etc/nslcd.conf

 uri ldap://prod-adc1.mydomain.local base DC=MyDomain,DC=Local uid nslcd gid ldap

/etc/pam.d/ldap-login

 auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass auth required pam_deny.so password sufficient pam_ldap.so minimum_uid=1000 use_first_pass password required pam_deny.so

当我尝试进行身份validation时,我在日志中看到以下内容:

/ var / log / secure

 Dec 4 22:22:42 localhost openvpn[25505]: pam_ldap(ldap-login:auth): failed to get password: Authentication failure

/ var / log / messages

 Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS: Initial packet from [AF_INET]1.2.3.4:37503, sid=c2d806cc 5c7c7ace Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS Auth Error: Auth Username/Password verification failed for peer Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Peer Connection Initiated with [AF_INET]1.2.3.4:37503 Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 PUSH: Received control message: 'PUSH_REQUEST' Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 Delayed exit in 5 seconds Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Dec 4 22:38:36 localhost openvpn[25504]: 1.2.3.4:37503 SIGTERM[soft,delayed-exit] received, client-instance exiting

我configurationPAM错了吗? 在我的loginconfiguration中是否有我缺less的东西?

编辑:我可以login,如果我做到以下几点: 

 ldapsearch -h prod-adc1.mydomain.local -b "DC=MyDomain,DC=Local" -x -D "[email protected]" -W

如何将其映射到PAM LDAP模块以使OpenVPNlogin按预期工作?

看起来你需要用你的binddnbindpwconfigurationbindpw

请参阅http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5

希望这可以帮助!

-Byron

工作设置示例(授权用户针对LDAP服务器,在我使用OpenLDAP的示例中,但在此模块中也支持AD) – openvpn-auth-ldap.so):

OpenVPN的-sever.conf: 

 # Authorization against LDAP plugin /usr/lib64/openvpn-auth-ldap.so /some/path/auth-ldap.conf

AUTH-的ldap.conf: 

 <LDAP> # LDAP server URL URL ldap://server.intranet.eko-inwest.com.pl:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=administrator,ou=users,dc=x,dc=y # BindDN uid=admin,ou=Users,dc=x,dc=y # BindDN [email protected] # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # TLS CA Certificate File # TLSCACertFile /etc/ssl/ca.xycrt </LDAP> <Authorization> # Base DN BaseDN "ou=users,dc=x,dc=y" # User Search Filter #SearchFilter "(uid=%u)" #SearchFilter "(&(uid=%u)(objectclass=posixAccount))" # For Samba's schema SearchFilter "(&(uid=%u)(!(sambaAcctFlags=[DUL ])))" # Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) # PFTable vpn-users <Group> # Match full user DN if true, uid only if false RFC2307bis false BaseDN "ou=groups,dc=x,dc=y" SearchFilter "(cn=vpn-users)" MemberAttribute memberUid </Group> </Authorization>