O login do LDAP falha, mas o su para os usuários do ldap funciona

Navegue suas respostas
2

Eu tenho uma nova configuração do ldap e estou tentando fazer o login, seja o diretório para a máquina ou remotamente por SSH.

Quando tento realmente fazer login, minha autenticação falha.

Se eu fizer login com um usuário local, (root), então eu sou bem sucedido. Uma vez que eu estou logado, não tenho problema em emitir um su user e mudar para esse usuário.

A execução de getent passwd retornará todos os usuários válidos.

Alguma ajuda?

Os registros mostram: 

Apr 10 11:50:00 ldaptest login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=user
Apr 10 11:50:00 ldaptest login: pam_ldap: error trying to bind (No such object)
Apr 10 11:50:03 ldaptest login: FAILED LOGIN 1 FROM (null) FOR user, Authentication failure

Obrigado! 

[root@ldaptest ~]# cat /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns  

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
sudoers:    ldap

e 

[root@ldaptest ~]# cat /etc/pam_ldap.conf 
base dc=ops,dc=rm
rootbinddn cn=Directory Manager,dc=ops,dc=rm
uri ldaps://10.0.32.75
ssl no
TLS_REQCERT allow 
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
suoders_base ou=Sudoers,dc=ops,dc=rm

e 

[root@ldaptest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account        [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient       pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_ldap.so
 session        required      pam_mkhomedir.so skel=/etc/skel umask=0077

e 

[root@ldaptest ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        sufficient    pam_ldap.so use_first_pass

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
password    sufficient    pam_ldap.so use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_ldap.so

E finalmente .... 

[root@ldaptest ~]# cat /etc/pam.d/password-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient    pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_mkhomedir.so skel=/etc/skel umask=0077
 session        optional      pam_ldap.so
    
por Tom 10.04.2014 / 20:51

1 resposta

1

required pam_deny.so tem que ser a última linha em cada seção.

    
por 10.04.2014 / 21:27

Tags

O DNS do remetente não resolve pesquisas inversas MS NPS negando acesso, não é possível validar o certificado do servidor