Centos7

每個 LDAP 使用者使用 LDAP 和 sssd (Centos7) 給出“權限被拒絕”

  • December 21, 2021

我正在嘗試將 LDAP 登錄限制為“admin”組。

這是我的 /etc/sssd/sssd.conf 文件:

[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM
min_id = 100
ldap_uri = ldaps://example.com:636/
ldap_default_authtok = Pa$$word
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cert = /etc/openldap/cacerts/certificate.pem
access_provider = ldap
ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com

[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

我已經嘗試過id username,它提出了:

id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)

當嘗試通過這樣做來更改使用者時,輸入密碼後su user會出錯su: Permission denied。從 sssd.conf 中刪除組限制條目時,它按預期工作並允許使用者登錄。

有什麼想法我搞砸了嗎?

編輯:現在我將使用/etc/security 和 PAM進行設置,這樣就可以了。但是我仍然對使用 sssd 進行操作感到好奇。

根據https://www.mankier.com/5/sssd-ldap

ldap_access_filter (string)

If using access_provider = ldap and ldap_access_order = filter (default), this
option is mandatory. It specifies an LDAP search filter criteria that must be met
for the user to be granted access on this host.

If access_provider = ldap, ldap_access_order = filter and this option is not set,
it will result in all users being denied access. Use access_provider = permit to
change this default behavior.

顯然,添加 access_provider = permit 應該可以解決您的問題。

引用自:https://serverfault.com/questions/1087792