/etc/pam_ldap.conf
precisa ter as mesmas configurações de ldap, como o nslcd.conf tem
Quando eu ssh para o meu servidor CentOS 6 com conta root, tudo está funcionando bem. Mas quando eu tento com um usuário LDAP, obtenho permissão negada.
Eu tentei fazer o login com root e, em seguida, su para um usuário LDAP, para ver se o usuário ainda existe e funciona. A su parece funcionar bem e eu acabo no diretório inicial dos usuários LDAP, então o ID do diretório home também. Eu imaginei que deve ser algo a ver com o ssh, então eu olhei em /var/log/secure
:
Feb 11 10:49:46 centosy sshd[1157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas
Feb 11 10:49:46 centosy sshd[1157]: pam_ldap: ldap_search_s No such object
Feb 11 10:49:47 centosy sshd[1157]: Failed password for tomas from 172.16.0.179 port 47961 ssh2
Feb 11 10:50:16 centosy sshd[1158]: Connection closed by 172.16.0.179
Feb 11 10:50:31 centosy sshd[1159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal user=tomas
Feb 11 10:50:31 centosy sshd[1159]: pam_ldap: ldap_search_s No such object
Pelo que vejo, ele diz que o usuário não existe na árvore do LDAP, o que não é verdade. Quando eu getent passwd
com raiz, eu posso ver tomas de usuário LDAP sem problema, e eu posso su para o usuário muito bem. Qual é o problema real?
Para mostrar que o cliente centos não tem problemas em encontrar o usuário na árvore do LDAP:
# ldapsearch -D "uid=tomas,ou=Users,dc=mosek,dc=zentyal" -Z -LLL -W uid=tomas
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
Enter LDAP Password:
dn: uid=tomas,ou=Users,dc=mosek,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: systemQuotas
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: shadowAccount
objectClass: zentyalSambaLink
uid: tomas
loginShell: /bin/bash
gidNumber: 1901
homeDirectory: /home/tomas
krb5PrincipalName: [email protected]
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
uidNumber: 3000044
msdsObjectGUID: 649ff009-ad48-41d5-abf8-2dafcd91024c
krb5KeyVersionNumber: 1
quota: 0
mail:
cn: Tomas Nielsen
givenName: Tomas
....
E aqui está meu nslcd.conf
:
uri ldap://172.16.0.5:390/
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name of the search base.
base dc=mosek,dc=zentyal
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=zentyalro,dc=mosek,dc=zentyal
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw secretPassword
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
scope sub
#scope one
#scope base
# Customize certain database lookups.
base group ou=Groups,dc=mosek,dc=zentyal
base passwd ou=Users,dc=mosek,dc=zentyal
base shadow ou=Users,dc=mosek,dc=zentyal
uid nslcd
gid ldap
ssl no
tls_cacertdir /etc/openldap/cacerts
então eu tentei executar o nslcd no modo de depuração e consegui isto:
# nslcd -d
nslcd: DEBUG: add_uri(ldap://172.16.0.5:390)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_group_bymember(tomas)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=Groups,dc=mosek,dc=zentyal", filter="(&(objectClass=posixGroup)(|(memberUid=tomas)(uniqueMember=uid=tomas,ou=Users,dc=mosek,dc=zentyal)))")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [3c9869] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [3c9869] DEBUG: ldap_result(): end of results
nslcd: [334873] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [334873] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [334873] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [334873] DEBUG: ldap_result(): end of results
nslcd: [b0dc51] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_shadow_byname(tomas)
nslcd: [b0dc51] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [b0dc51] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [b0dc51] DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
nslcd: [495cff] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [495cff] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [495cff] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [495cff] DEBUG: ldap_result(): end of results
nslcd: [e8944a] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [e8944a] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [e8944a] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [e8944a] DEBUG: ldap_result(): end of results
nslcd: [5558ec] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [5558ec] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [5558ec] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [5558ec] DEBUG: ldap_result(): end of results
Eu não consigo entender o que é dito