0
я установил в Debian 8.5 пакет libpam-ldapd, я приступил к настройке файла /etc/nslcd.conf со следующей конфигурацией:LDAP аутентификации пользователей с использованием nslcd на Debian 8.x
# /etc/nslcd.conf
# nslc
d configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://172.17.192.100
# The search base that will be used for all queries.
base DC=myorg,DC=com
# The LDAP protocol version to use.
ldap_version 3
binddn CN=ldapuser,DC=myorg,DC=com
bindpw secret
# The search scope.
#scope sub
filter passwd (objectClass=person)
map passwd uid sAMAccountName
map passwd uidNumber employeeID
map passwd gidNumber objectSid
filter shadow (objectClass=person)
map shadow uid sAMAccountName
Проблема заключается в том, что при входе на сервер с [email protected] у меня есть следующий журнал (аутентификации sucessfull, но поиск не удается из-за @ myorg.com раздел, также использует функцию nslcd_pam_authc()):
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_rebind_proc()
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_simple_bind_s("CN=isldap,DC=TI,DC=ads","***") (uri="ldap://172.17.192.100")
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] DEBUG: connection from pid=9046 uid=0 gid=0
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: nslcd_pam_authc("[email protected]","sshd","***")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: "[email protected]": user not found: No such object
Если я войти, используя только пользователя поиск имеет успех, но аутентификация не делает. (Пытается аутентификации с использованием полного DN и ldap_sasl_bind функции())
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_simple_bind_s("CN=ldapuserDC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <host=10.0.2.2> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=ipHost)(ipHostNumber=10.0.2.2))")
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_result(): end of results (0 total)
nslcd: [7b23c6] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [7b23c6] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_simple_bind_s("CN=ldapuser,DC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [7b23c6] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [3c9869] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [3c9869] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [3c9869] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [334873] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [334873] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [b0dc51] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [b0dc51] <authc="user"> DEBUG: nslcd_pam_authc("user","sshd","***")
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_simple_bind_s("CN=ldapuserDC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="CN=User John Doe,DC=myorg,DC=com", filter="(objectClass=*)")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_sasl_bind("CN=User John Doe,DC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580
nslcd: [b0dc51] <authc="user"> DEBUG: failed to bind to LDAP server ldap://172.17.192.100: Invalid credentials: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="user"> CN=User John Doe,DC=myorg,DC=com: Invalid credentials
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
Вопрос: как я настроен nslcd.conf, если я хотел:
- Войти с пользователь
- Поиск в поле sAMAccount, равном пользователь
Спасибо заранее и извините за длинный пост.