NSLCD apenas se conecta ao servidor LDAP no modo de depuração

Question

NSLCD apenas se conecta ao servidor LDAP no modo de depuração

#1 resposta do (1 votos)
#2 resposta do (0 votos)
#3 resposta do (0 votos)

2

Olá pessoal, procurei um pouco no stackexchange, mas consegui encontrar ajuda para o meu problema.

Estou tentando integrar a autenticação LDAP em um cliente centos 7, mas não consigo fazê-lo funcionar e não consigo descobrir por quê. Veja algumas informações

Eu fiz uma instalação clara do centos 7

entrou em /etc/sysconfig/authconfig e alterou

FORCELEGACY=no

para

FORCELEGACY=yes

Portanto, o authconfig não usa o SSSD porque eu não usarei o TSL / SSL para minha conexão, o que, no meu entender, é um requisito para usar o SSSD.

eu executei authconfig-tui para preencher /etc/openldap/ldap.conf

SASL_NOCANON    on
URI ldap://172.16.0.5:390
BASE dc=mosek,dc=zentyal

agora eu fui em /etc/nslcd.confg e preenchi manualmente

uid nslcd
gid ldap

uri ldap://172.16.0.5:390

ldap_version 3

base dc=mosek,dc=zentyal

binddn cn=zentyalro,dc=mosek,dc=zentyal
bindpw secret

scope sub
base   group  ou=Groups,dc=mosek,dc=zentyal
base   passwd ou=Users,dc=mosek,dc=zentyal
base   shadow ou=Users,dc=mosek,dc=zentyal

ssl no

Eu corri o authconfig-tui novamente para ter certeza de que o nslcd pegou as novas configurações

Eu verifiquei meu /etc/nsswitch.conf para ver se ele foi configurado corretamente:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

tentei entrar, mas não me deixou. Por isso, verifiquei /var/log/messeges e encontrei:

Nov 27 12:48:01 localhost systemd: Starting Naming services LDAP client daemon....
Nov 27 12:48:01 localhost systemd: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Nov 27 12:48:01 localhost nslcd[10991]: version 0.8.13 starting
Nov 27 12:48:01 localhost nslcd[10991]: accepting connections
Nov 27 12:48:01 localhost systemd: Started Naming services LDAP client daemon..
Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:10 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:11 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:12 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:13 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:14 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:15 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:16 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:17 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:18 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:49:19 localhost nslcd[10991]: [8b4567] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:23 localhost nslcd[10991]: [7b23c6] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [3c9869] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [334873] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:52:26 localhost nslcd[10991]: [b0dc51] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> failed to bind to LDAP server ldap://172.16.0.5:390: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:53:59 localhost nslcd[10991]: [495cff] <passwd="tomas"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [e8944a] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [5558ec] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Nov 27 12:54:02 localhost nslcd[10991]: [8e1f29] <passwd="tomas"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected

my /var/log/secure é assim:

Nov 27 12:37:34 localhost sshd[10926]: Invalid user tomas from 172.16.0.179
Nov 27 12:37:34 localhost sshd[10926]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:37:39 localhost sshd[10926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:37:41 localhost sshd[10926]: Failed password for invalid user tomas from 172.16.0.179 port 37863 ssh2
Nov 27 12:37:44 localhost sshd[10926]: Connection closed by 172.16.0.179 [preauth]
Nov 27 12:52:23 localhost sshd[11004]: Invalid user tomas from 172.16.0.179
Nov 27 12:52:23 localhost sshd[11004]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:52:26 localhost sshd[11004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:52:28 localhost sshd[11004]: Failed password for invalid user tomas from 172.16.0.179 port 38262 ssh2
Nov 27 12:52:30 localhost sshd[11004]: Connection closed by 172.16.0.179 [preauth]
Nov 27 12:53:59 localhost sshd[11014]: Invalid user tomas from 172.16.0.179
Nov 27 12:53:59 localhost sshd[11014]: input_userauth_request: invalid user tomas [preauth]
Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): check pass; user unknown
Nov 27 12:54:02 localhost sshd[11014]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal
Nov 27 12:54:04 localhost sshd[11014]: Failed password for invalid user tomas from 172.16.0.179 port 38274 ssh2
Nov 27 12:54:06 localhost sshd[11014]: Connection closed by 172.16.0.179 [preauth]
Nov 27 13:18:38 localhost unix_chkpwd[11120]: check pass; user unknown
Nov 27 13:18:38 localhost unix_chkpwd[11120]: password check failed for user (tomas)
Nov 27 13:18:38 localhost sshd[11118]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal  user=tomas
Nov 27 13:18:38 localhost unix_chkpwd[11121]: could not obtain user info (tomas)
Nov 27 13:18:38 localhost sshd[11118]: Failed password for tomas from 172.16.0.179 port 38466 ssh2
Nov 27 13:18:38 localhost sshd[11118]: fatal: Access denied for user tomas by PAM account configuration [preauth]
Nov 27 13:22:09 localhost unix_chkpwd[11143]: check pass; user unknown
Nov 27 13:22:09 localhost unix_chkpwd[11143]: password check failed for user (tomas)
Nov 27 13:22:09 localhost sshd[11141]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal  user=tomas
Nov 27 13:22:09 localhost unix_chkpwd[11144]: could not obtain user info (tomas)
Nov 27 13:22:09 localhost sshd[11141]: Failed password for tomas from 172.16.0.179 port 38501 ssh2
Nov 27 13:22:09 localhost sshd[11141]: fatal: Access denied for user tomas by PAM account configuration [preauth]

E isso eu achei muito estranho porque eu tenho um cliente Ubuntu que se conecta muito bem, para aquele endereço: 172.16.0.5:390

Eu tentei executar nslcd no modo de depuração, tentei fazer login novamente, fiquei louco quando tentei fazer login:

$ ssh tomas@centosy
tomas@centosy's password: 
Connection closed by 172.16.0.188

nslcd: [8b4567] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [8b4567] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [8b4567] <passwd="tomas"> (re)loading /etc/nsswitch.conf
nslcd: [8b4567] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: myldap_search(base="ou=Groups,dc=mosek,dc=zentyal", filter="(&(objectClass=posixGroup)(|(memberUid=tomas)(member=uid=tomas,ou=Users,dc=mosek,dc=zentyal)))")
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=__USERS__,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=Domain Admins,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=staff,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): cn=admins,ou=Groups,dc=mosek,dc=zentyal
nslcd: [7b23c6] <group/member="tomas"> DEBUG: ldap_result(): end of results (4 total)
nslcd: [3c9869] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [3c9869] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [3c9869] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [334873] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [334873] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b0dc51] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [b0dc51] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [b0dc51] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [495cff] <authc="tomas"> DEBUG:     nslcd_pam_authc("tomas","sshd","***")
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="uid=tomas,ou=Users,dc=mosek,dc=zentyal", filter="(objectClass=*)")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_simple_bind_s("uid=tomas,ou=Users,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_unbind()
nslcd: [495cff] <authc="tomas"> DEBUG: bind successful
nslcd: [495cff] <authc="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [495cff] <authc="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [e8944a] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [e8944a] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [e8944a] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5558ec] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [5558ec] <passwd="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [5558ec] <passwd="tomas"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [8e1f29] DEBUG: connection from pid=11118 uid=0 gid=0
nslcd: [8e1f29] <authz="tomas"> DEBUG:     nslcd_pam_authz("tomas","sshd","","harbinger.mosek.zentyal","ssh")
nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_rebind_proc()
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal
nslcd: [8e1f29] <authz="tomas"> DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [8e1f29] <authz="tomas"> DEBUG: ldap_result(): uid=tomas,ou=Users,dc=mosek,dc=zentyal

como nslcd só pode entrar em contato com o servidor ldap, no modo de depuração. Quando eu tento iniciar o nslcd ele falha porque ele não pode contatar o servidor, mas como você pode ver, quando está no modo de depuração ele se conecta bem.

O que poderia estar errado?

ldap centos

por Tomas 20.11.2014 / 09:35

3 respostas

1

Foi assim que fizemos nas nossas caixas, por isso, esteja avisado, pode não se aplicar à sua configuração.

Algumas ressalvas:

Nosso servidor tem um certificado assinado pela CA válido, não se esqueça de modificar ldap_tls_cacert se o seu tiver um certificado auto-assinado (o que é ruim (tm) mesmo assim).
Usamos o LDAP para fornecer regras de sudo, para deixar isso de lado se você não quiser.
Você pode querer definir ldap_group_search_base e ldap_search_base também, para limitar a pesquisa de sssd apenas a usuários / grupos válidos. O mesmo vale para ldap_sudo_search_base .
Certifique-se de definir ldap_user_member_of para corresponder ao atributo de associação ao grupo do seu servidor de diretório no lado do usuário. (É groupmembership para o eDirectory)
Não se esqueça de definir ldap_access_filter para restringir o acesso ao (s) seu (s) sistema (s). Caso contrário, todos os usuários válidos podem fazer login em sua caixa.
Verifique os dados do LDAP do usuário antes de procurar por erros no lado sssd ou PAM do processo de login.
Verifique se as permissões de /etc/sssd/sssd.conf estão definidas como 0600 .

No nosso caso, meu usuário tem esses atributos definidos para o login do LDAP:

objectClass: posixAccount
groupMembership: cn=group1,...
groupMembership: cn=group2,...
uid: fuero
uidNumber: 10000
gidNumber: 19999
homeDirectory: /home/fuero

/etc/sssd/sssd.conf

[domain/default]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://your.ldap-server.tld:636
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=your-bind-user
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = your_password_hash
ldap_schema = rfc2307bis
cache_credentials = false
enumerate = false

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default

[nss]

[pam]

[sudo]

[autofs]

[ssh]

Configuração nsswitch.conf para usar sssd :

# grep sss /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
sudoers: files sss

Verifique:

# id fuero
uid=100000(fuero) gid=19999(users) groups=20000(group1),20000(group2)

Configurar o PAM /etc/pam.d/system-auth-ac :

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
**auth        sufficient    pam_sss.so use_first_pass**
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
**account     [default=bad success=ok user_unknown=ignore]    pam_sss.so**
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
**session optional        pam_sss.so
session required        pam_mkhomedir.so        umask=0077**

por 20.11.2014 / 10:56

0

O culpado parece ser systemd. Tente executar o nslcd e verá que está funcionando.

Quando você inicia o nslcd usando o systemctl, ele gera um novo processo quando você tenta consultar o nslcd. Nas mensagens eu vejo:

Dec  3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> problem closing server socket (ignored): Bad file descriptor
Dec  3 19:53:33 myhostname nslcd[2227]: [8b4567] <passwd="myuser"> version 0.8.13 bailing out

Ainda não entendi a causa raiz, mas o systemctl tem algo a ver com isso.

Eu tenho outro sistema que configura antes deste e está funcionando, e systemctl é systemd-208-11.el7_0.2.x86_64, enquanto o novo que NÃO está funcionando é systemd-208-11.el7_0.4 .x86_64.

por 03.12.2014 / 21:09

Tags ldap centos

anexar o vmdk existente ao servidor do Windows sem formatação Possível misturar SNI e SSL IP dedicado no Apache?

score 0 · Accepted Answer

Eu resolvi o problema

Eu entrei e desativei o selinux indo em /etc/selinux/config e definindo SELINUX=disabled

Eu fiz uma reinicialização rápida e consegui fazer o login, sem problemas