问题[pam-ldap](server)

语境

我这里有 2 台不同的机器，它们的主要区别是一个运行 CentOS6，另一个运行 CentOS7。两者都运行最新的可用分发版本的 lib：COS7 为 0.8.13，CentOS6 为 0.7.5 两者都运行“正常”配置的 nss-pam-ldapd：

/etc/nslcd.conf

uid nslcd
gid ldap

uri ldap://ldap.example.org/
base dc=example,dc=org

ssl no
tls_cacertdir /etc/openldap/cacerts
idle_timelimit 240

base   group  ou=groups,dc=example,dc=org

binddn cn=Readonly,dc=example,dc=org
bindpw **************

服务器权限：

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=cube-net,dc=org" write by dn="cn=Readonly,dc=example,dc=org" none by anonymous auth by self write by * none
olcAccess: {1}to dn.base="cn=Readonly,dc=example,dc=org" by dn="cn=Manager,dc=example,dc=org" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc=example,dc=org" write by dn="cn=Readonly,dc=example,dc=org" read by self write by * read

问题

我可以很好地查找用户，但我无法以su在 CentOS 7 上使用的用户身份登录。我得到：

mveroone@vm:~$ passwd
Changing password for user mveroone.
(current) LDAP Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
mveroone@vm:~$ su - mveroone
Password: 
su: Permission denied
mveroone@vm:~$ ssh localhost
Authorized uses only. All activity may be \ monitored and reported.
mveroone@localhost's password: 
Last login: Fri Aug 20 16:10:24 2021

Authorized uses only. All activity may be \ monitored and reported.
mveroone@vm:~$ 

所以是的，我可以使用 SSH 登录，更改我的密码，但不能使用 su。

我试过的

使用简单的绑定方法在两台服务器上执行 aldapwhoami工作，但不是 SASL（无可用机制）

root@vm:~# ldapwhoami -D uid=user,ou=users,dc=example,dc=org -W -H ldap://ldap.example.org  
Enter LDAP Password: 
dn:uid=user,ou=users,dc=example,dc=org

nslcd -d在尝试使用密码验证时运行su仅在 COS7 中显示：

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

尽管根据几个邮件列表线程，这似乎是一个可以忽略的错误。

当使用附加调试（）运行 nslcd 时nslcd -dd，我可以看到它首先尝试与用户绑定，这成功了，然后它搜索'(objectClass=*)'，过滤属性：dn和 base = 本身有效：

ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_build_search_req ATTRS: dn
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7f7a9800cf60 msgid 2
wait4msg ld 0x7f7a9800cf60 msgid 2 (timeout 10000000 usec)
wait4msg continue ld 0x7f7a9800cf60 msgid 2 all 0
** ld 0x7f7a9800cf60 Connections:
 * host: ldap.example.org  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Aug 20 11:42:05 2021


** ld 0x7f7a9800cf60 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f7a9800cf60 request count 1 (abandoned 0)
** ld 0x7f7a9800cf60 Response Queue:
   Empty
  ld 0x7f7a9800cf60 response count 0
ldap_chkResponseList ld 0x7f7a9800cf60 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f7a9800cf60 NULL
ldap_int_select
read1msg: ld 0x7f7a9800cf60 msgid 2 all 0
read1msg: ld 0x7f7a9800cf60 msgid 2 message type search-entry
ldap_get_dn
nslcd: [0e0f76] <authc="user"> DEBUG: ldap_result(): uid=user,ou=users,dc=example,dc=org
ldap_msgfree
ldap_abandon 2
ldap_abandon_ext 2
do_abandon origid 2, msgid 2
ldap_msgdelete ld=0x7f7a9800cf60 msgid=2
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_msgfree
nslcd: [0e0f76] <authc="user"> DEBUG: ldap_unbind()
ldap_unbind

所以路径是：

• 绑定（确定）
• 搜索自己的DN（ok）
• 放弃
• 解绑

然后告诉我它无法验证用户。（“权限被拒绝”，所以它与“身份验证失败”不同）我执行了一个数据包捕获，它显示了同样的事情。

我已经尝试通过 nslcd 的 0.8.x 版本的变更日志来查看是否发生了一些变化，但是有很多变化，没有足够的细节。

您好我有一台 Linux 服务器 (18.04)，它使用 netatalk 服务充当 TimeMachine 备份服务器。用户正在使用 LDAP (/etc/ldap.conf) 进行身份验证

客户端可以连接到 AFP 挂载做 TimeMachine 备份和注销就好了。如果您需要共享更多 conf 文件，请告诉我。

AFPD 版本：

    afpd -V
afpd 2.2.6 - Apple Filing Protocol (AFP) daemon of Netatalk

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.

afpd has been compiled with support for these features:

          AFP versions: 1.1 2.0 2.1 2.2 3.0 3.1 3.2 3.3 
DDP(AppleTalk) Support: Yes
         CNID backends: dbd last tdb 
           SLP support: No
      Zeroconf support: Avahi
  TCP wrappers support: Yes
         Quota support: Yes
   Admin group support: Yes
    Valid shell checks: Yes
      cracklib support: Yes
        Dropbox kludge: No
  Force volume uid/gid: No
            EA support: ad | sys
           ACL support: Yes
          LDAP support: Yes

             afpd.conf: /etc/netatalk/afpd.conf
   AppleVolumes.system: /etc/netatalk/AppleVolumes.system
  AppleVolumes.default: /etc/netatalk/AppleVolumes.default
    afp_signature.conf: /etc/netatalk/afp_signature.conf
      afp_voluuid.conf: /etc/netatalk/afp_voluuid.conf
         afp_ldap.conf: /etc/netatalk/afp_ldap.conf
       UAM search path: /usr/lib/netatalk/
  Server messages path: /etc/netatalk/msg/
              lockfile: /var/run/afpd.pid

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

#auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

/etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

/etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
session optional                        pam_mkhomedir.so skel=/etc/skel/ umask=0066
# end of pam-auth-update config

/etc/pam.d/common-password

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

auth.log 中的错误日志

Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:auth): authentication failure; logname= uid=0 euid=0 tty=afpd ruser=demouser rhost=192.168.1.10  user=demouser
Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:session): session opened for user demouser by (uid=0)
Jul 20 11:05:17 server systemd-logind[1166]: New session c23 of user demouser.
Jul 20 11:06:21 server afpd[5131]: pam_unix(netatalk:session): session closed for user demouser
Jul 20 11:06:21 server dbus-daemon[1278]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.69" (uid=10001 pid=5131 comm="/usr/sbin/afpd -U uams_dhx2.so,uams_clrtxt.so -g n" label="unconfined") interface="org.freedesktop.login1.Manager" member="ReleaseSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1166 comm="/lib/systemd/systemd-logind " label="unconfined")
Jul 20 11:06:21 server afpd[5131]: pam_systemd(netatalk:session): Failed to release session: Access denied
Jul 20 11:06:21 server afpd[5131]: PAM audit_log_acct_message() failed: Operation not permitted
Jul 20 11:06:21 server systemd-logind[1166]: Removed session c23.

我正在尝试将 PAM 配置为与我的 LDAP 服务器一起进行身份验证。为此，我尝试使用 libpam-ldap，出于两个原因，我决定使用 libpam-ldap 而不是 libpam-ldapd。首先，libpam-ldapd 似乎不支持基于组的身份验证，这意味着我无法控制哪些用户可以使用 LDAP 组访问哪些服务（至少对于使用 PAM 的服务），其次当我尝试安装 libpam -ldapd 整个服务器变得非常无响应，需要 30 秒以上来处理命令。

进行身份验证尝试时，libpam_ldap 会正确尝试在端口 636 上联系所需的 LDAP 服务器，但不会进行绑定尝试。重新配置 libpam-ldap 以通过端口 389 上的非 TLS 连接连接到 LDAP 服务器会导致绑定尝试被我的 LDAP 服务器的非 TLS 连接身份验证策略正确拒绝。

我正在运行 Debian 10.4，我的 pam_ldap.conf 文件（作为我的故障排除过程的一部分，我已精简为最小配置）如下

base ou=people,dc=example,dc=com
uri ldaps://example.com/
ldap_version 3
binddn uid=0,ou=servers,dc=example,dc=com
bindpw mypassword
pam_login_attribute displayName
pam_password clear
ssl on
tls_checkpeer no
tls_cacertdir /etc/ssl/certs
logdir /var/log/pamldap

在任何地方都说示例，实际配置具有正确的值。密码设置为清除，因为密码散列正在由 ppolicy 处理服务器端。指定“ssl on”、“tls_checkpeer”和“tls_cacertdir”的选项都包含在我的故障排除过程中，它们的组合不会导致成功连接到 LDAP 服务器。

配置中的 logdir 标志不起作用，因此 libpam-ldap 不生成日志，这使得故障排除非常复杂。到目前为止，故障排除包括尝试验证 FTP 用户、监视 LDAP 服务器上的日志以及传播到 FTP 客户端的信息。在 libpam-ldap 配置为使用 TLS 时尝试登录会导致 FTP 客户端超时，并在 LDAP 服务器上登录以下日志

Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: slap_listener_activate(8):
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 busy
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: >>> slap_listener(ldaps:///)
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: listen=8, new connection on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]: daemon: added 12r (active) listener=(nil)
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: conn=1000 fd=12 ACCEPT from IP=X.X.X.X:1025 (IP=0.0.0.0:636)
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero

尝试通过未加密的连接登录会导致 FTP 客户端收到 530 登录错误响应和“严重错误：无法连接到服务器”错误消息，并且 LDAP 服务器记录以下日志

Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: slap_listener_activate(8):
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 busy
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: >>> slap_listener(ldap:///)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: listen=8, new connection on 14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:  14r
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: added 14r (active) listener=(nil)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 ACCEPT from IP=X.X.X.X:47982 (IP=0.0.0.0:389)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]: op tag 0x60, time 1591298840
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 do_bind
Jun  4 15:27:20 MyServer slapd[5866]: >>> dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: <<< dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>, <uid=0,ou=servers,dc=example,dc=com>
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 BIND dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun  4 15:27:20 MyServer slapd[5866]: do_bind: version=3 dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_result: conn=1002 op=0 p=3
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_result: err=13 matched="" text="confidentiality required"
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_response: msgid=1 tag=97 err=13
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 RESULT tag=97 err=13 text=confidentiality required
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:  14r
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun  4 15:27:20 MyServer slapd[5866]: op tag 0x42, time 1591298840
Jun  4 15:27:20 MyServer slapd[5866]: ber_get_next on fd 14 failed errno=0 (Success)
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): input error=-2 id=1002, closing.
Jun  4 15:27:20 MyServer slapd[5866]: connection_closing: readying conn=1002 sd=14 for close
Jun  4 15:27:20 MyServer slapd[5866]: connection_close: deferring conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 do_unbind
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 UNBIND
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_resched: attempting closing conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: connection_close: conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: removing 14
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 closed

这似乎是我的 LDAP 服务器的正确策略响应。

为了澄清我的问题：libpam_ldap 无法通过 TLS 与我的 LDAP 服务器通信，谁能告诉我为什么会这样以及我需要做什么来解决这个问题。如果您认为这不是我遇到的问题，您认为问题是什么，您认为我需要做什么来解决该问题？

如果在 Debian Buster 操作系统上使用带有 nss-pam-ldapd 的 LDAP 身份验证， SASL/GSSAPI 需要通过代理授权对 LDAP 服务器进行 Kerberos 身份验证。我尝试在我的 Raspberry Pi 上将其配置为单点登录，但无法使其正常工作。

我的 ldap 服务器配置了How to setup SASL Proxy Authorization with an OpenLDAP server on Debian。我将代理用户命名为proxyuser，因此它的专有名称是uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de.

根据在 Debian 系统上使用 nss-pam-ldapd 的 LDAP 身份验证，libnss-ldapd除了libpam-ldapdGSSAPI 插件之外，我还必须安装软件包libsasl2-modules-gssapi-mit。但我将使用libpam-krb5而不是libpam-ldapd：

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils

安装时会出现一个配置对话框，其中设置存储在/etc/nslcd.conf和中/etc/nsswitch.conf。我必须再次配置

rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd

我从对话框中给出的设置是：

rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

现在，getent passwd我希望从 LDAP 服务器获得ingo的凭据。它不存储在本地/etc/passwd。但我只从/etc/passwd. 在 LDAP 服务器的日志中，我可以看到没有尝试绑定到proxyuser。我在这里缺少什么？
为什么getent不从 LDAP 服务器获取凭据？

我们的用户和组 LDAP 配置正在运行。

我们的服务器使用 LDAP 来存储用户和组。

# /etc/nsswitch.conf :
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

但是今天我们在 LDAP 中添加了一个新组，有 3 个用户，然后添加了其他用户。3 个用户在组中，但其他用户不在组中。

我们可以通过使用“groups”看到这一点：更准确地说，“getent group GROUPNAME”显示组中的用户，而“groups”不显示该用户的组......？！

因此我试图理解：

• 是否有某种组缓存 - LDAP 列表？
• 或者同步是否有可能失败，如果是，如何手动重新启动它？

抱歉，我的问题没有更准确，但我真的不知道从哪里开始......

PS 配置文件

# /etc/ldap/ldap.conf
URI     ldap://172.16.1.232
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt


# /etc/pam_ldap.conf
base dc=ourdomain,dc=ch
uri ldap://172.16.1.232/
ldap_version 3
rootbinddn cn=admin,dc=ourdomain,dc=ch
pam_password crypt

我目前的情况是我可以使用ldapand成功进行身份验证pam，我也成功地使用pam_mkdir在文件系统中自动创建主目录/home。

现在我要实现的是自动创建相同的主目录，但在自动安装的 nfs 导出上。自动挂载正常工作，并且homes可以正确访问根目录。目的是避免nfs手动创建房屋。

我花了两天时间潜伏，但我没有成功地将所有信息合并在一起。

我仍然有的问题：

• 可以pam_mkdir通过 nfs 创建目录吗？
• 如果安装的homes路径不是标准的（例如，房屋安装到/mnt/nfs/homes），怎么pam_mkdir知道？使用homeDirectoryLDAP 属性？
• 我应该在创建用户后触发 LDAP 服务器上的创建吗？
• 我是否在想一个实际上更简单的问题？

我们正在运行 SunLDAP（Sun/Oracle 目录服务器 11），并希望我们的 Linux/Unix 机器能够针对 LDAP 进行身份验证，并使用 LDAP 来存储 SUDO 策略。为此需要哪些架构扩展？

我在我的网络中观察到一种奇怪的行为。

我将我的网络用户存储在 OpenLDAP 2.4 中，它也为 samba 3.6 域提供服务。

我的 NFS 服务器上有用户配额，这就是我偶然发现“问题”的地方。

当我调用repquota -up它时，它会显示数字 ID，而不是某个数字 ID 的 uid。

如果我调用repquota -upC所有 LDAP 用户 UID 都会显示，所以我认为目前这不是一个真正的问题。

据我所知，一切正常。我可以登录，id显示正确的信息。ls还显示正确的 UID 而不是数字 ID。

到目前为止，repquota -up可以重现来自的行为，即不显示某个点之后的 LDAP 用户。genent passwd

而且，在进一步考虑这一点时，我们也有问题，那个手指只能在两个方向上工作，直到有问题的 UID。这意味着，这finger <Realname>只会为具有较小（因此较旧的数字 ID）的用户产生结果。finger uid总是产生正确的结果。

我继续阅读nscd并nslcd玩弄了 nscd max-db-size，但这并没有改变。我nscd在所有执行 LDAP 身份验证的机器上安装并运行，但只安装nslcd在一台机器上以试验这个问题。

操作系统从 Debian 7 和 8 到 Ubuntu Server LTS 14.04 和 16.04 不等。我使用 libnss-ldap 和 libpam-ldap。

正如我所说，我没有真正的问题，除了，如果用户超过配额，我有时只会看到数字 ID。我可以通过更改repquota. 但我有点害怕，我有一些错误配置，可能会在某些时候导致问题。

所以我的问题是，如果有人知道我可以在哪里解决这个问题？或者，如果这是某种预期的行为。目前我不知道在哪里寻找线索。

干杯，克里斯托夫

这是我一直在努力解决的一个奇怪问题。我在 debian 8 上通过 pam 有一个有效的 ldap 和身份验证。我已经成功测试了 pam_mkhomedir，并且我为登录用户获得了一个主目录，其所有权为用户名：组名。

在项目的第二阶段，我在 /home/nfs 上创建了一个 nfs (nfsv4) 挂载，我想将我的主目录放在那里，以便我可以跨服务器共享它们。我面临的问题是，当我使用 pam_mkhomdir 创建主目录时，它拥有nobody:nogroup 的所有权。如果我以 ldap 用户身份手动登录创建这个，我会得到正确的所有权用户名：组名，所以我相当确定 nfs 可以处理 ldap 用户名。

idmap 配置为使用 nsswitch 和

id ldapuser

在 nfs 客户端和服务器上返回相同的信息。ldap登录也适用于它们

有没有人知道为什么 pam_mkhomdir 在 nfs 与 ldap 用户一起工作时会默认为nobody：nogroup？