客户实施过程中,遇到通过LDAP认证登陆计算节点,密码登陆一直失败,通过一顿的查资料才解决问题。解决后才发现有更简单的方法,记录如下。
三个配置文件
登陆计算节点,查看一下三个配置文件,该配置文件涉及用户认证方式。
1. /etc/pam_ldap.conf
cat /etc/pam_ldap.conf | grep -v ^$ | grep -v ^#
host 192.168.242.100
base dc=clustertech,dc=com
uri ldap://192.168.242.100
ldap_version 3
- /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
sshd模块决定用户认证过程中采用的方式,主要关注include后面的方式会有system-auth、password-auth,采用password-auth
备注:/etc/pam.d/sshd模块还有许多其他功能,比如登陆安全设置(失败次数限制)、允许/禁止特定的用户登录,可以自行查找相关资料
3. /etc/nslcd.conf
cat /etc/nslcd.conf | grep -v ^$ | grep -v ^#
uid nslcd
gid ldap
uri ldap://192.168.242.100
base dc=clustertech,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
问题主要出在sshd模块上面,举一反三,在/etc/pam.d/下面的其他模块,比如su、sudo等均需要修改成password-auth,主要password-auth中也要引入ldap模块
cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
authconfig命令
authconfig --enableldap --enableldapauth --ldapserver=ldap://ldap.example.com:389,ldap://ldap2.example.com:389 --ldapbasedn="ou=people,dc=example,dc=com" --enableldaptls --ldaploadcacert=https://ca.server.example.com/caCert.crt --update
https://www.certdepot.net/ldap-client-configuration-authconfig/
补充:
当nis或ldap客户端也存在和server中一样的用户时,要注意nsswitch.conf文件。最好的解决办法是删除client端中的相同用户。