LDAP 用户的 nslcd 身份验证失败,并出现错误“查找失败:未返回结果”

问题描述 投票:0回答:2

我在 SSH 登录期间使用 nslcd 服务对 ldap 用户进行身份验证,但失败并出现以下错误

nslcd:[16231b] uid=omc,ou=people,ou=accounts,dc=netact,dc=net:查找失败:未返回结果

下面是ldap用户登录期间的nslcd调试日志,

nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_simple_bind_s("uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [16231b] DEBUG: connection from pid=7465 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [16231b] <authc="omc"> DEBUG: nslcd_pam_authc("omc","sshd","***")
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="ou=people,ou=accounts,dc=netact,dc=net", filter="(&(objectClass=posixAccount)(uid=omc))")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="uid=omc,ou=people,ou=accounts,dc=netact,dc=net", filter="(objectClass=*)")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_rebind_proc()
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [16231b] <authc="omc"> DEBUG: ldap_simple_bind_s("uid=omc,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/")
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [16231b] <authc="omc"> uid=omc,ou=people,ou=accounts,dc=netact,dc=net: lookup failed: No results returned
nslcd: [16231b] <authc="omc"> DEBUG: ldap_unbind()

下面是nslcd.conf:

root@NthlrAtca07> cat /etc/nslcd.conf
binddn uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net
bindpw l0T%OSUe_7m_1~F
tls_reqcert allow

uri ldap://10.91.149.148/
base ou=people,ou=accounts,dc=netact,dc=net
tls_cacertdir /etc/openldap/cacerts
map    passwd loginShell       "/usr/bin/bash"
map    passwd homeDirectory    "/home/$uid"

下面是nsswitch.conf:

root@NthlrAtca07> cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files ldap
shadow:     files ldap
group:      files ldap
#initgroups: files
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus
root@NthlrAtca07>

以下是 PAM 政策:

root@NthlrAtca07> cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 dcredit=-1 ocredit=-1 ucredit=0 lcredit=0 minlen=8 maxrepeat=1 maxsequence=4 reject_username
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

我看到设置配置正确,即使 nslcd 无法验证 ldap 用户。您能在这里帮忙吗?

linux bash ldap pam nss
2个回答
2
投票

感谢所有思考这个问题的人。

我发现了真正的问题:

经确认,登录和群组问题是由于 LDAP 服务器中实施的 ACI(访问控制列表)造成的。 此外,nslcd.conf 中使用的用户“uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net”没有读取访问权限,因此在身份验证期间,上述 ACI 规则阻止 ldap 用户访问自己的信息因此身份验证失败。

为了解决此问题,添加了 ACI 规则以赋予用户读取权限,并且身份验证成功。

0
投票

我如何调试 nslcd 并获取这些日志?

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.