Eu tenho autenticação de trabalho pam_ldap usando libpam_ldapd. Estou usando o slapo-nssov e quero usar o atributo loginStatus que é adicionado à entrada ldap dos usuários após a abertura da sessão pam e excluído quando está fechado. Ele funciona apenas com autenticação de senha ssh.
Eu acho que há algo ignorado no pam quando eu uso a chave pública em vez da senha - não há pam_ldap(sshd:auth) nslcd authentication; user=user
registro no auth.log e nssov não tem informações sobre o usuário e seu DN para atualizar a sessão. Essa é provavelmente a razão pela qual o atributo loginStatus não é adicionado para a entrada do usuário ldap. Existe alguma chance de forçar o pam a fazer o sshd: auth quando a autenticação de chave pública é usada?
Conexão ssh bem-sucedida pela senha do usuário:
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
slapd.log grepped para nssov_pam quando logado em ssh usando senha:
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authc(jindraj)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Conexão ssh bem-sucedida por usuários de chave pública
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
slapd.log grepped para nssov_pam quando logado em ssh usando publickey:
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Aqui está o meu perfil auth-client-config. Ele deve fornecer informações sobre como é a configuração do meu nsswitch e pam:
[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass debug
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so minimum_uid=10000 debug
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so minimum_uid=10000 try_first_pass debug
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_unix.so
session sufficient pam_ldap.so use_authtok debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Meu ambiente: