使用具有代理授权的 GSSAPI 对 OpenLDAP 服务器进行 NSS 查询

简短的回答

确保您/etc/krb5.keytab与您的host/*委托人有效，例如：

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin:  ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin:  q

nscd如果可用，则禁用缓存守护程序sudo systemctl disable --now nscd.service。不要将其与nslcd. 然后检查代理授权：

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de

然后安装：

rpi ~$ sudo apt install libnss-ldapd kstart

只需接受安装对话框中的默认设置即可。我们用这些配置文件覆盖它们。将它们与您的设置一起使用：
nslcd.conf

~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# Logging options, default is info
#log syslog debug

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt

# Other options
nss_initgroups_ignoreusers ALLLOCAL

nsswitch.conf

~$ cat /etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

重新启动服务并检查。确保ingo在/etc/passwd.

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo

使用 Kerberos 身份验证设置 PAM 登录：

rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login

# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$

安装 nscd 缓存守护进程（如果已经可用，则启用它）：

rpi ~$ sudo apt install nscd

而已。

更多细节

我花了几天时间检查设置有什么问题。对于故障排除，您可以在 LDAP 服务器上增加日志以调试输出olcLogLevel: any：

slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif

slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif

在客户端设备上，只需取消注释/etc/nslcd.conf.

重新启动服务并禁用缓存守护程序nscd（不要与混淆nslcd），因为nscd可能会混淆测试：

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service

完成后不要忘记恢复调试日志并启用nscd。执行getent passwd您将在客户端日志中看到它甚至没有以 开头GSSAPI client step 1，什么都没有。我意识到 nslcd.service 没有获得任何凭据来/var/run/nslcd/nslcd.tkt进行身份验证。我四处寻找，发现/etc/default/nslcd必须启动/usr/bin/k5start，但没有安装，也没有记录。所以只需安装它：

rpi ~$ sudo apt install kstart

现在日志显示 GSSAPI 从第 1 步开始，但随后中止。

最令人困惑的是在安装时出现的设置对话框libnss-ldapd。它要求我使用 GSSAPI 设置错误的条目，特别是代理用户的可分辨名称 (sasl_authzid)。这是不可用的。相反，您必须使用普通的binddn。只需接受对话框设置中的默认设置，然后使用简短答案中的配置文件。

我将systemd-networkd与systemd-resolved一起使用。使用 systemd 解析器时，我在登录时遇到了令人讨厌的 60 秒延迟，这是不可接受的。显示journal -b查询 ldap 服务器的组成员身份在 60 秒后超时：

Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...

Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument

Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.

经过几天的错误搜寻，我发现该选项已nss_initgroups_ignoreusers ALLLOCAL修复/etc/nslcd.conf此错误。此选项可防止通过非 LDAP 用户的 LDAP 查找组成员资格。这意味着像系统帐户这样的本地注册用户将不会查找 LDAP 服务器。