SSSD & LDAP认证
SSSD & LDAP认证
提问于 2015-09-02 14:28:13
我目前正在部署OpenLDAP和SSSD进行身份验证。当我尝试id存储在LDAP中的用户时,我不会得到响应,而不是这样的用户。
用户已经正确地添加到LDAP中,我可以执行ldapsearch –ZZ并找到用户。
我尝试运行sssd –i –d9并在尝试id用户时获得以下响应:
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:ldaptest@LDAP]
[sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][4097][1][name=ldaptest]
[sssd[nss]] [sbus_add_timeout] (0x2000): 0x22e3960
[sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:ldaptest@LDAP]
[sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xcfac90
[sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
[sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
[sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo]
[sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=ldaptest]
[sssd[be[LDAP]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
[sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP]
[sssd[nss]] [sbus_remove_timeout] (0x2000): 0x22e3960
[sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x22db230
[sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline
[sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
[sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:ldaptest@LDAP]
[sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22da6d0][20]
[sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'hostname' as 'not working'
[sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server 'hostname' as 'not working'
[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
[sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'hostname' is 'name resolved'
[sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'hostname' is 'not working'
[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
[sssd[be[LDAP]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
[sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
[sssd[be[LDAP]]] [be_mark_offline] (0x2000): Going offline!
[sssd[be[LDAP]]] [be_ptask_create] (0x0400): Periodic task [Check if online (periodic)] was created
[sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 78 seconds from now [1438098389]
[sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
[sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
[sssd[nss]] [sbus_remove_timeout] (0x2000): 0xe6d960
[sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0xe65230
[sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline
[sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider主机名hostname解析,端口636肯定是打开的(关闭了iptables,也可以使用telnet)
下面是我的sssd配置文件:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root, ldap, named
[pam]
# LDAP domain
[domain/LDAP]
ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=test,dc=domain
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = true
chpass_provider = ldap
ldap_uri = ldaps://hostname:636/
ldap_chpass_uri = ldaps://hostname:636/
cache_credentials = true
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(object)(object))我在谷歌找不到答案。任何关于解决方案的指示都将不胜感激。
非常感谢。
回答 2
Server Fault用户
发布于 2015-10-28 10:24:30
ldap_id_use_start_tls = true绝对是错的。
为了将网络流量加密到LDAP,您必须选择:
- 端口636上的旧SSL
- 端口389上较新的StartTLS (连接以普通方式启动,然后升级到TLS)
StartTLS和SSL是相互排斥的。
试着移除违规行。
Server Fault用户
发布于 2016-07-25 12:30:53
ldap_access_filter看起来怪怪的。试着不吃它。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/718570
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号