I libpam-ldapd, dann installierte in Debian 8.5 das Paket Ich ging die Datei /etc/nslcd.conf mit folgenden Konfiguration zu konfigurieren:LDAP-Benutzerauthentifizierung nslcd auf Debian 8.x mit
# /etc/nslcd.conf
# nslc
d configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://172.17.192.100
# The search base that will be used for all queries.
base DC=myorg,DC=com
# The LDAP protocol version to use.
ldap_version 3
binddn CN=ldapuser,DC=myorg,DC=com
bindpw secret
# The search scope.
#scope sub
filter passwd (objectClass=person)
map passwd uid sAMAccountName
map passwd uidNumber employeeID
map passwd gidNumber objectSid
filter shadow (objectClass=person)
map shadow uid sAMAccountName
Problem ist, dass, wenn in den Server mit [email protected] Anmeldung habe ich folgendes log (auth sucessfull aber suchen aufgrund der @ myorg.com schlägt fehl Abschnitt, auch verwendet es die nslcd_pam_authc() Funktion):
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_rebind_proc()
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_simple_bind_s("CN=isldap,DC=TI,DC=ads","***") (uri="ldap://172.17.192.100")
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [8e1f29] <passwd="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] DEBUG: connection from pid=9046 uid=0 gid=0
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: nslcd_pam_authc("[email protected]","sshd","***")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)([email protected]))")
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [e87ccd] <authc="[email protected]"> DEBUG: "[email protected]": user not found: No such object
Wenn ich Login mit nur Benutzer die Suche Erfolg hat, aber die Authentifizierung nicht. (Tries mit voller DN und ldap_sasl_bind() Funktion zur Authentifizierung)
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_simple_bind_s("CN=ldapuserDC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <host=10.0.2.2> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=ipHost)(ipHostNumber=10.0.2.2))")
nslcd: [8b4567] <host=10.0.2.2> DEBUG: ldap_result(): end of results (0 total)
nslcd: [7b23c6] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [7b23c6] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_simple_bind_s("CN=ldapuser,DC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [7b23c6] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [7b23c6] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [3c9869] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [3c9869] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [3c9869] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [3c9869] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [334873] <passwd="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [334873] <passwd="user"> CN=User John Doe,DC=myorg,DC=com: objectSid: missing
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] <passwd="user"> DEBUG: myldap_search(base="OU=Guatemala Support Team,OU=TI_Service_Accounts,DC=TI,DC=ads", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [334873] <passwd="user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [b0dc51] DEBUG: connection from pid=9099 uid=0 gid=0
nslcd: [b0dc51] <authc="user"> DEBUG: nslcd_pam_authc("user","sshd","***")
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_simple_bind_s("CN=ldapuserDC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="CN=User John Doe,DC=myorg,DC=com", filter="(objectClass=*)")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_initialize(ldap://172.17.192.100)
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_sasl_bind("CN=User John Doe,DC=myorg,DC=com","***") (uri="ldap://172.17.192.100")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580
nslcd: [b0dc51] <authc="user"> DEBUG: failed to bind to LDAP server ldap://172.17.192.100: Invalid credentials: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="user"> CN=User John Doe,DC=myorg,DC=com: Invalid credentials
nslcd: [b0dc51] <authc="user"> DEBUG: myldap_search(base="DC=myorg,DC=com", filter="(&(objectClass=person)(sAMAccountName=user))")
nslcd: [b0dc51] <authc="user"> DEBUG: ldap_result(): CN=User John Doe,DC=myorg,DC=com
Frage: wie soll ich konfiguriert nslcd.conf wenn ich wollte:
- Anmeldung mit Benutzer
- Suche im Feld sAMAccount gleich Benutzer
Vielen Dank im Voraus und Entschuldigung für die lange Post.