Visão geral do problema
O Solaris 11 foi configurado para usar pam_ldap para autenticar usuários em um servidor de diretórios compatível com LDAP v3. O host Solaris está configurado apenas para usar o LDAP para autenticação; ele não está configurado para usar o LDAP como um serviço de nomenclatura.
Quando um usuário válido tenta enviar ssh para o host Solaris, o módulo pam_ldap envia uma solicitação BIND ao servidor LDAP e obtém uma resposta de sucesso. No entanto, o Solaris ainda nega o acesso do usuário.
Problema a ser resolvido: Como posso concluir minha configuração do PAM para permitir que os usuários se autentiquem no host Solaris via ssh usando suas identidades LDAP?
O usuário é um usuário válido que existe no host (nos arquivos / etc / passwd e / etc / shadow) e no LDAP. A conta não está bloqueada no LDAP e o usuário pode autenticar corretamente (BIND) para o LDAP:
$ldapsearch -h <REMOVED> -p 389 -b ou=people,o=som,dc=com -D "uid=testuser,ou=people,o=som,dc=com" -W uid=testuser LDAP Password:
dn: uid=testuser,ou=People,o=som,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowInactive: 7
loginShell: /bin/bash
uidNumber: 1176
homeDirectory: /home/testuser
gecos: Test User
gidnumber: 501
shadowmax: 91
shadowmin: 7
shadowwarning: 28
userpassword:: <REMOVED>
shadowflag: 22352
shadowlastchange: 16115
Informações de depuração
No servidor LDAP, você pode ver o usuário autenticado com êxito:
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.324-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=SOLARISUSERATTR)(uid=testuser))
attributes: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
numberOfEntriesReturned: 0
AuditV3--2014-02-17-10:53:02.332-5:00--V3 Bind--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.332-5:00--Success
name: cn=proxyAgent,ou=Profile,o=som,dc=com
authenticationChoice: simple
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.333-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uid=testuser))
numberOfEntriesReturned: 1
**Bind--bindDN: uid=testuser,ou=People,o=som,dc=com--client: <REMOVED>:12241--connectionID: 103360--received: 2014-02-17-10:53:02.335-5:00--Success
name: uid=testuser,ou=People,o=som,dc=com
authenticationChoice: simple**
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.985-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uidnumber=10011))
attributes: cn, uid, uidNumber, gidNumber, gecos, description, homeDirectory, loginShell
numberOfEntriesReturned: 1
O logon no cliente host Solaris mostra que o módulo LDAP do PAM enviou as credenciais do usuário. No entanto, enquanto o servidor LDAP retornou um sucesso na operação BIND, o Solaris reportou falha na autenticação. Observe o uso de sshd-kbdinit :
[auth.info] reprocess config line 160: ignoring RhostsRSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.info] reprocess config line 167: ignoring RSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.notice] Failed none for test user from <REMOVED> port 54650 ssh2
[auth.debug] ldap pam_sm_authenticate(sshd-kbdint testuser), flags = 1
[auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
[auth.notice] Failed keyboard-interactive for test user from <REMOVED> port 54650 ssh2
[auth.info] Connection closed by <REMOVED>
Detalhes da configuração
Solaris Host Client
/ etc / ssh / sshd_config
Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
MaxStartups 30:60:120
Banner /etc/issue
PrintMotd no
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 60
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries 3
MaxAuthTriesLog 0
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem sftp /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
KbdInteractiveAuthentication yes
ldapclient utiliza um perfil ldapclient do servidor.
$ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=Profile,o=som,dc=com
NS_LDAP_BINDPASSWD= <REMOVED>
NS_LDAP_SERVERS= HOST1-IP:389, HOST2-IP:389
NS_LDAP_SEARCH_BASEDN= o=som,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= HOST1:389, HOST2:389
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=som,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE
pam.conf e pam.d / serviço
/etc/pam.conf
(Apenas as partes relevantes são mostradas)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 debug
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 debug
/etc/pam.d/login
(Apenas as partes relevantes são mostradas)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
auth required pam_dial_auth.so.1
/etc/pam.d/other
(Apenas as partes relevantes são mostradas)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
nsswitch.conf
(O nsswitch.conf foi modificado usando svccfg, resultando no seguinte arquivo nsswitch.conf)
passwd: files ldap
group: files ldap
hosts: files [SUCCESS=return] dns
ipnodes: files [SUCCESS=return] dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
Servidor LDAP
Esse host age como um cliente para um Tivoli Directory Server v 6.3 (ITDS). Assuma que todas as modificações de esquema apropriadas foram feitas. (Adicionei todos os elementos de esquema RFC2307bis, NIS e Solaris necessários ao ITDS.)