我正在尝试将 PAM 配置为与我的 LDAP 服务器一起进行身份验证。为此,我尝试使用 libpam-ldap,出于两个原因,我决定使用 libpam-ldap 而不是 libpam-ldapd。首先,libpam-ldapd 似乎不支持基于组的身份验证,这意味着我无法控制哪些用户可以使用 LDAP 组访问哪些服务(至少对于使用 PAM 的服务),其次当我尝试安装 libpam -ldapd 整个服务器变得非常无响应,需要 30 秒以上来处理命令。
进行身份验证尝试时,libpam_ldap 会正确尝试在端口 636 上联系所需的 LDAP 服务器,但不会进行绑定尝试。重新配置 libpam-ldap 以通过端口 389 上的非 TLS 连接连接到 LDAP 服务器会导致绑定尝试被我的 LDAP 服务器的非 TLS 连接身份验证策略正确拒绝。
我正在运行 Debian 10.4,我的 pam_ldap.conf 文件(作为我的故障排除过程的一部分,我已精简为最小配置)如下
base ou=people,dc=example,dc=com
uri ldaps://example.com/
ldap_version 3
binddn uid=0,ou=servers,dc=example,dc=com
bindpw mypassword
pam_login_attribute displayName
pam_password clear
ssl on
tls_checkpeer no
tls_cacertdir /etc/ssl/certs
logdir /var/log/pamldap
在任何地方都说示例,实际配置具有正确的值。密码设置为清除,因为密码散列正在由 ppolicy 处理服务器端。指定“ssl on”、“tls_checkpeer”和“tls_cacertdir”的选项都包含在我的故障排除过程中,它们的组合不会导致成功连接到 LDAP 服务器。
配置中的 logdir 标志不起作用,因此 libpam-ldap 不生成日志,这使得故障排除非常复杂。到目前为止,故障排除包括尝试验证 FTP 用户、监视 LDAP 服务器上的日志以及传播到 FTP 客户端的信息。在 libpam-ldap 配置为使用 TLS 时尝试登录会导致 FTP 客户端超时,并在 LDAP 服务器上登录以下日志
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: slap_listener_activate(8):
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 busy
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: >>> slap_listener(ldaps:///)
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: listen=8, new connection on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: daemon: added 12r (active) listener=(nil)
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: conn=1000 fd=12 ACCEPT from IP=X.X.X.X:1025 (IP=0.0.0.0:636)
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]: 12r
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun 4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun 4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun 4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun 4 15:11:05 MyServer slapd[831]:
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
尝试通过未加密的连接登录会导致 FTP 客户端收到 530 登录错误响应和“严重错误:无法连接到服务器”错误消息,并且 LDAP 服务器记录以下日志
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: slap_listener_activate(8):
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 busy
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: >>> slap_listener(ldap:///)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: listen=8, new connection on 14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: 14r
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: added 14r (active) listener=(nil)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 ACCEPT from IP=X.X.X.X:47982 (IP=0.0.0.0:389)
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: op tag 0x60, time 1591298840
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 do_bind
Jun 4 15:27:20 MyServer slapd[5866]: >>> dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: <<< dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>, <uid=0,ou=servers,dc=example,dc=com>
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 BIND dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun 4 15:27:20 MyServer slapd[5866]: do_bind: version=3 dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_result: conn=1002 op=0 p=3
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_result: err=13 matched="" text="confidentiality required"
Jun 4 15:27:20 MyServer slapd[5866]: send_ldap_response: msgid=1 tag=97 err=13
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 RESULT tag=97 err=13 text=confidentiality required
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]: 14r
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun 4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun 4 15:27:20 MyServer slapd[5866]: op tag 0x42, time 1591298840
Jun 4 15:27:20 MyServer slapd[5866]: ber_get_next on fd 14 failed errno=0 (Success)
Jun 4 15:27:20 MyServer slapd[5866]: connection_read(14): input error=-2 id=1002, closing.
Jun 4 15:27:20 MyServer slapd[5866]: connection_closing: readying conn=1002 sd=14 for close
Jun 4 15:27:20 MyServer slapd[5866]: connection_close: deferring conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun 4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun 4 15:27:20 MyServer slapd[5866]:
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 do_unbind
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 UNBIND
Jun 4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun 4 15:27:20 MyServer slapd[5866]: connection_resched: attempting closing conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: connection_close: conn=1002 sd=14
Jun 4 15:27:20 MyServer slapd[5866]: daemon: removing 14
Jun 4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 closed
这似乎是我的 LDAP 服务器的正确策略响应。
为了澄清我的问题:libpam_ldap 无法通过 TLS 与我的 LDAP 服务器通信,谁能告诉我为什么会这样以及我需要做什么来解决这个问题。如果您认为这不是我遇到的问题,您认为问题是什么,您认为我需要做什么来解决该问题?