我已经配置了一个 LDAP 服务器并创建了一个用户。ldapsearch 提供以下结果:
# user, People, brave-vesperia.com
dn: uid=masc,ou=People,dc=brave-vesperia,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: masc
cn: user user
sn: user
givenName: ###
title: Dr.
telephoneNumber: #####
mobile: #####
postalAddress: #####
userPassword:: e1NTSEF9QzVQNUp5R2h4NkZzVzRuUzlCZWdlcFlwaVVFWEk0Mno=
labeledURI: #####
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/masc
description: Admin User
我已经在我的客户端上配置了 sssd,现在可以使用我的 ldap 帐户登录。但是,我得到的外壳是 /bin/sh。
这是我的sssd配置:
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = brave-vesperia.com
[domain/brave-vesperia.com]
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.brave-vesperia.com
ldap_search_base = dc=brave-vesperia,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/ca.pem
chpass_provider = ldap
ldap_chpass_uri = ldap://ldap.brave-vesperia.com
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
这是输出getent masc passwd
masc:*:1001:1001::/home/masc:
/bin/sh不是/bin/bash. 我已经测试了 AlmaLinux 和 Ubuntu 客户端,因此不太可能与客户端相关。
搜索日志,我反复看到以下几行:
(2022-04-21 5:35:46): [be[brave-vesperia.com]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell
sssd_brave-vesperia.com.log:(2022-04-21 6:25:50): [be[brave-vesperia.com]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [[email protected]]
我已经解决了这个问题。由于 ldap 端的访问规则,无法访问 loginshell 属性。