Centos7
每個 LDAP 使用者使用 LDAP 和 sssd (Centos7) 給出“權限被拒絕”
我正在嘗試將 LDAP 登錄限制為“admin”組。
這是我的 /etc/sssd/sssd.conf 文件:
[domain/default] autofs_provider = ldap ldap_tls_reqcert = allow auth_provider = ldap ldap_id_use_start_tls = False chpass_provider = ldap cache_credentials = True debug_timestamps = True ldap_default_authtok_type = password ldap_search_base = dc=example,dc=com id_provider = ldap ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM min_id = 100 ldap_uri = ldaps://example.com:636/ ldap_default_authtok = Pa$$word ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_cert = /etc/openldap/cacerts/certificate.pem access_provider = ldap ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]
我已經嘗試過
id username
,它提出了:id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)
當嘗試通過這樣做來更改使用者時,輸入密碼後
su user
會出錯su: Permission denied
。從 sssd.conf 中刪除組限制條目時,它按預期工作並允許使用者登錄。有什麼想法我搞砸了嗎?
編輯:現在我將使用/etc/security 和 PAM進行設置,這樣就可以了。但是我仍然對使用 sssd 進行操作感到好奇。
根據https://www.mankier.com/5/sssd-ldap:
ldap_access_filter (string) If using access_provider = ldap and ldap_access_order = filter (default), this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap, ldap_access_order = filter and this option is not set, it will result in all users being denied access. Use access_provider = permit to change this default behavior.
顯然,添加 access_provider = permit 應該可以解決您的問題。