Fórum Root.cz
Hlavní témata => Server => Téma založeno: Jonas 11. 02. 2016, 20:08:56
-
Zdravicko,
snazim si rozchodit LDAP na Centos 7. Zatim bez Kerbera :] Bohuzel se nemuzu pohnout z hlasky na strane klienta, kterou dostavam, kdyz se snazi uzivatel prihlasit
pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd
nsswitch
passwd: files ldap
shadow: files ldap
group: files ldap
"/etc/openldap/ldap.conf"
URI ldap://10.0.0.224/
BASE ou=users,dc=test,dc=com
Verze
$OpenLDAP: slapd 2.4.40 (Nov 19 2015 21:55:20) $
authconfig
aching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.0.224/"
LDAP base DN = "ou=users,dc=test,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = ""
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.0.224/"
LDAP base DN = "ou=users,dc=test,dc=com"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
ldapsearch zobrazi uzivatele a je pod spravnou ou
-
Používá ten uživatel schéma RFC 2307? Jaký dotaz přes ldapsearch funguje? Vypíše se ten uživatel po getent passwd test?
-
Pro vytvoreni sem pouzil tenhle ldif
dn: uid=test, ou=users,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
ldapsearch -x -W -D "cn=admin,dc=test,dc=com" -b "dc=test,dc=com"
# test, users, test.com
dn: uid=test,ou=users,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9WWZnMncxVkIvL2tERStCSWVIUnBJUU10Nm5ndy9UZms=
shadowLastChange: 16842
getent
test:x:16859:100:test:/home/test:/bin/bash
-
Tak LDAP spojení z PAMu funguje, takže je nejspíš chybné nastavení v /etc/pam.d. Zkontrolujte, že ve všech common-* je pam_ldap, a v /etc/pam.d/common-auth nechybí u pam_unix parametr default=ignore (výchozí je default=bad, což při neexistenci lokálního uživatele zamítne přihlášení).
-
Typicky by v /etc/pam.d/common-auth mělo na začátku být něco jako:
# Nejprve zkusí lokální uživatele
# success=n přeskočí n následujících pluginů, pokud tento uspěje
# default=ignore znamená, že pokud neuspěje, tak se to ignoruje a zkusí se další plugin
auth [success=2 default=ignore] pam_unix.so nullok_secure
# Potom LDAP
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
# A když ani jedno neuspěje, tak přístup zamítnut
auth requisite pam_deny.so
-
Nevím jak v CentOS, ale konfigurece LDAP server pro PAM je v Debianu tuším jinde než konfigurace LDAP klienta. Jsou prostě 2 konfiguráky, jeden pro PAM a jeden pro běžné LDAP utility jako je ldapsearch. Není to stejný případ?
-
V nasledujicich souborech je vlozen ldap modul
fingerprint-auth
fingerprint-auth-ac
password-auth
password-auth-ac
smartcard-auth
smartcard-auth-ac
su
system-auth
system-auth-ac
fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth:session optional pam_ldap.so
fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth-ac:session optional pam_ldap.so
password-auth:auth sufficient pam_ldap.so
password-auth:auth sufficient pam_ldap.so use_first_pass
password-auth:account sufficient pam_ldap.so
password-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth:password sufficient pam_ldap.so
password-auth:password sufficient pam_ldap.so
password-auth:session optional pam_ldap.so
password-auth-ac:auth sufficient pam_ldap.so
password-auth-ac:auth sufficient pam_ldap.so use_first_pass
password-auth-ac:account sufficient pam_ldap.so
password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth-ac:password sufficient pam_ldap.so
password-auth-ac:password sufficient pam_ldap.so
password-auth-ac:session optional pam_ldap.so
smartcard-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth:session optional pam_ldap.so
smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth-ac:session optional pam_ldap.so
su:auth sufficient pam_ldap.so
system-auth:auth sufficient pam_ldap.so use_first_pass
system-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
system-auth:password sufficient pam_ldap.so use_authtok
system-auth:session optional pam_ldap.so
system-auth-ac:auth sufficient pam_ldap.so use_first_pass
system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
system-auth-ac:password sufficient pam_ldap.so use_authtok
system-auth-ac:session optional pam_ldap.so
Pam_unix
fingerprint-auth:account required pam_unix.so broken_shadow
fingerprint-auth:session required pam_unix.so
fingerprint-auth-ac:account required pam_unix.so broken_shadow
fingerprint-auth-ac:session required pam_unix.so
password-auth:auth sufficient pam_unix.so nullok try_first_pass
password-auth:account required pam_unix.so broken_shadow
password-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass
password-auth:session required pam_unix.so
password-auth-ac:auth sufficient pam_unix.so nullok try_first_pass
password-auth-ac:account required pam_unix.so broken_shadow
password-auth-ac:password sufficient pam_unix.so sha512 shadow nullok try_first_pass
password-auth-ac:session required pam_unix.so
runuser:session required pam_unix.so
smartcard-auth:account required pam_unix.so broken_shadow
smartcard-auth:session required pam_unix.so
smartcard-auth-ac:account required pam_unix.so broken_shadow
smartcard-auth-ac:session required pam_unix.so
system-auth:auth sufficient pam_unix.so likeauth nullok
system-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth:session required pam_unix.so
system-auth-ac:auth sufficient pam_unix.so likeauth nullok
system-auth-ac:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth-ac:session required pam_unix.so
default=bad
fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
login:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
password-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so
Zmenil sem bad na ignore v password-auth,login a problem pretrvava
-
nema s timhle nikdo zkusenost?