Tôi đã thiết lập máy chủ LDAP với tài khoản người dùng. Tôi đã cấu hình thành công ứng dụng Rails để xác thực với máy chủ LDAP này. Bây giờ tôi đang cố gắng định cấu hình SSSD để xác thực với LDAP, nhưng nó không giống như mật khẩu người dùng cá nhân.
Lỗi:
$ su - leopetr4
Password:
su: incorrect password
SSSD nhận ra người dùng, nhưng không phải mật khẩu:
$ id leopetr4
uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)
Đây là bản ghi người dùng trông như thế nào:
# ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldaps://my_hostname.my_domain.com "(uid=leopetr4)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my_domain,dc=com> (default) with scope subtree
# filter: (uid=leopetr4)
# requesting: ALL
#
# leopetr4, People, my_domain.com
dn: uid=leopetr4,ou=People,dc=my_domain,dc=com
uid: leopetr4
cn: Leo Petr 40
sn: 40
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowLastChange: 16736
shadowMin: 1
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9583
gidNumber: 9583
homeDirectory: /mnt/home/leopetr4
mail: leo.petr+40@example.com
gecos: Leo Petr 40
userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Đây là mật khẩu người dùng băm sau khi giải mã Base64 ở trên:
{SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=
Nó chính xác phù hợp với đầu ra của slappaswd -c {SHA} "that_password"
Đây là cấu hình SSSD:
# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
debug_level = 5
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/LDAP]
cache_credentials = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
debug_level = 5
Dưới đây là nhật ký SSSD khi tôi cố gắng su - leopetr4
:
# tail -f /var/log/secure /var/log/sssd/*.log
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=leopetr4]
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
==> /var/log/sssd/sssd.log <==
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging LDAP
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service LDAP replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=leopetr4]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_process_group_send] (0x0040): No Members. Done!
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_group] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: leopetr4
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: su-l
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: pts/3
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: leonsp
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost:
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1586655
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP]
==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)
Đây là nhật ký máy chủ LDAP khi tôi cố gắng su - leopetr4
:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: slap_listener_activate(9):
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 busy
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: >>> slap_listener(ldaps:///)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: listen=9, new connection on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: added 31r (active) listener=(nil)
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 ACCEPT from IP=256.256.256.256:29338 (IP=0.0.0.0:636)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 2 descriptors
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]: 31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]: 31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): unable to get TLS client DN, error=49 id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 TLS established tls_ssf=256 ssf=256
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]: 31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x77, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 do_extended
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: do_extended: oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 STARTTLS
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_extended: err=1 oid= len=0
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_response: msgid=1 tag=120 err=1
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 RESULT oid= err=1 text=TLS already started
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]: 31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x42, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: ber_get_next on fd 31 failed errno=0 (Success)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): input error=-2 id=3358, closing.
Nov 27 21:21:08 my_hostname slapd[15353]: connection_closing: readying conn=3358 sd=31 for close
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: deferring conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 do_unbind
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 UNBIND
Nov 27 21:21:08 my_hostname slapd[15353]: connection_resched: attempting closing conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: removing 31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 closed
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:09 my_hostname slapd[15353]: 26r
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: read active on 26
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26)
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26): got connid=3331
Nov 27 21:21:09 my_hostname slapd[15353]: connection_read(26): checking for input on id=3331
Nov 27 21:21:09 my_hostname slapd[15353]: op tag 0x63, time 1448680869
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 do_search
Nov 27 21:21:09 my_hostname slapd[15353]: >>> dnPrettyNormal: <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: <<< dnPrettyNormal: <dc=my_domain,dc=com>, <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: SRCH "dc=my_domain,dc=com" 2 0
Nov 27 21:21:09 my_hostname slapd[15353]: 0 0 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: PRESENT
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: NOT
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: filter: (&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))
Nov 27 21:21:09 my_hostname slapd[15353]: attrs:
Nov 27 21:21:09 my_hostname slapd[15353]: objectClass
Nov 27 21:21:09 my_hostname slapd[15353]: uid
Nov 27 21:21:09 my_hostname slapd[15353]: userPassword
Nov 27 21:21:09 my_hostname slapd[15353]: uidNumber
Nov 27 21:21:09 my_hostname slapd[15353]: gidNumber
Nov 27 21:21:09 my_hostname slapd[15353]: gecos
Nov 27 21:21:09 my_hostname slapd[15353]: homeDirectory
Nov 27 21:21:09 my_hostname slapd[15353]: loginShell
Nov 27 21:21:09 my_hostname slapd[15353]: krbPrincipalName
Nov 27 21:21:09 my_hostname slapd[15353]: cn
Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]: shadowLastChange
Nov 27 21:21:09 my_hostname slapd[15353]: shadowMin
Nov 27 21:21:09 my_hostname slapd[15353]: shadowMax
Nov 27 21:21:09 my_hostname slapd[15353]: shadowWarning
Nov 27 21:21:09 my_hostname slapd[15353]: shadowInactive
Nov 27 21:21:09 my_hostname slapd[15353]: shadowExpire
Nov 27 21:21:09 my_hostname slapd[15353]: shadowFlag
Nov 27 21:21:09 my_hostname slapd[15353]: krbLastPwdChange
Nov 27 21:21:09 my_hostname slapd[15353]: krbPasswordExpiration
Nov 27 21:21:09 my_hostname slapd[15353]: pwdAttribute
Nov 27 21:21:09 my_hostname slapd[15353]: authorizedService
Nov 27 21:21:09 my_hostname slapd[15353]: accountExpires
Nov 27 21:21:09 my_hostname slapd[15353]: userAccountControl
Nov 27 21:21:09 my_hostname slapd[15353]: nsAccountLock
Nov 27 21:21:09 my_hostname slapd[15353]: host
Nov 27 21:21:09 my_hostname slapd[15353]: loginDisabled
Nov 27 21:21:09 my_hostname slapd[15353]: loginExpirationTime
Nov 27 21:21:09 my_hostname slapd[15353]: loginAllowedTimeMap
Nov 27 21:21:09 my_hostname slapd[15353]: sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH base="dc=my_domain,dc=com" scope=2 deref=0 filter="(&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]: ==> limits_get: conn=3331 op=122 self="[anonymous]" this="dc=my_domain,dc=com"
Nov 27 21:21:09 my_hostname slapd[15353]: => hdb_search
Chỉnh sửa: Đây là /var/log/secure
một nỗ lực đăng nhập:
Nov 28 13:09:10 my_hostname su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)
Đây là cấu hình pam:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
Cấu hình PAM LDAP:
# cat /etc/pam_ldap.conf | grep -v '^#' | grep -v '^$'
base dc=my_domain,dc=com
uri ldaps://my_hostname.my_domain.com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Cũng thế:
# authconfig --test | grep hashing
password hashing algorithm is sha512
Chỉnh sửa 2 : Xác thực qua pamtester hoạt động, nhưng nó tiếp tục không hoạt động qua su:
[leonsp@my_hostname ~]$ pamtester login leopetr4 authenticate
Password:
pamtester: successfully authenticated
[leonsp@my_hostname ~]$ pamtester su leopetr4 authenticate
Password:
pamtester: Authentication failure
[leonsp@my_hostname ~]$ pamtester su-l leopetr4 authenticate
Password:
pamtester: successfully authenticated
Tại sao SSSD không cho phép tôi đăng nhập với tư cách người dùng này?
Có điều gì tôi cần làm để định cấu hình SSSD để khớp với các
{SHA}
giá trị băm cơ bản không?Làm cách nào để tìm ra sự khác biệt giữa xác thực
login
và xác thực chosu
/su-l
?
/var/log/secure
và pam chi tiết cấu hình cho câu hỏi
/var/log/secure
và /var/log/sssd/*.log
đầu ra cho su - leopetr4
.