Ldap

ldapsearch 找到我的帳戶/使用者,sssd 沒有

  • August 24, 2022

我正在嘗試設置新伺服器(Ubuntu 22.04 LTS)並使用組織帳戶對使用者進行身份驗證。

這是提供的公共文件: https ://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth

當執行故障排除部分中指定的 ldapsearch 時,我可以找到格式為 abc12345 的使用者以及所有可用數據。

ldapsearch \
-A 
-H 'ldaps://adldap.hs-regensburg.de' \
-b 'DC=hs-regensburg,DC=de' \
-D 'abc12345@hs-regensburg.de' \
-W -z 0 -LLL -E pr=1000/noprompt sAMAccountName=abc12345

輸出–>附錄1

但是在執行時getent passwd abc12345我沒有得到任何輸出和附錄 2-3 中的日誌文件。我會說 ldap 根本找不到給定的使用者名abc12345

這是我的sssd.conf

[sssd]
config_file_version = 2
domains = hs-regensburg.de

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = abc12345@hs-regensburg.de
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false
  1. 我必須對我的 sssd.conf 進行哪些更改,以便 sssd 也可以找到我的使用者,就像 ldapsearch 一樣?
  2. sAMAccountName/samAccountName 究竟是什麼?
  3. 如果我像這樣設置我的身份驗證會有什麼好處:https ://ubuntu.com/server/docs/service-sssd-ldap-krb
  4. 提供的文件是否足以設置這樣的系統?

我很感激任何幫助。如果您需要我提供更多資訊,我將很樂意提供您需要的任何東西。

附錄1

Enter LDAP Password:
dn: CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
objectClass:
cn:
sn:
c:
l:
st:
title:
postalCode:
givenName:
distinguishedName:
instanceType:
whenCreated:
whenChanged:
displayName:
uSNCreated:
memberOf:
uSNChanged:
department:
proxyAddresses:
streetAddress:
name:
objectGUID:
userAccountControl:
badPwdCount:
codePage:
countryCode:
homeDirectory:
homeDrive:
badPasswordTime:
lastLogoff:
lastLogon:
pwdLastSet:
primaryGroupID:
profilePath:
objectSid:
accountExpires:
logonCount:
sAMAccountName:
sAMAccountType:
showInAddressBook:
legacyExchangeDN:
userPrincipalName:
objectCategory:
dSCorePropagationData:
lastLogonTimestamp:
uid:
mail:
uidNumber:
gidNumber:
unixHomeDirectory:
loginShell:
mDBUseDefaults:
msExchWhenMailboxCreated:
extensionAttribute9:
msExchUMDtmfMap:
msExchMailboxSecurityDescriptor:
hsrInternalMail:
msExchArchiveWarnQuota:
msExchHomeServerName:
msExchTextMessagingState:
msExchPoliciesExcluded:
msExchDumpsterQuota:
msExchRBACPolicyLink:
msExchUserAccountControl:
msExchMobileMailboxFlags:
msExchArchiveQuota:
msExchDumpsterWarningQuota:
mailNickname:
msExchUserCulture:
msExchVersion:
msExchELCMailboxFlags:
homeMDB:
msExchMailboxGuid:
msExchRecipientTypeDetails:
msExchRecipientDisplayType:
msExchCalendarLoggingQuota:

# refldaps://hs-regensburg.de/CN=Configuration,DC=hs-regensburg,DC=de

# pagedresults: cookie=

附錄二 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep --color 'abc12345\|$'

(2022-08-24  2:02:44): [nss] [accept_fd_handler] (0x0400): [CID#6] Client [cmd getent][uid 1001][0x55e3a007a380][21] connected!
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Received client version [1].
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Offered version [1].
(2022-08-24  2:02:44): [nss] [nss_getby_name] (0x0400): [CID#6] Input name: abc12345
(2022-08-24  2:02:44): [nss] [cache_req_send] (0x0400): [CID#6] CR #7: REQ_TRACE: New request [CID #6] 'User by name'
(2022-08-24  2:02:44): [nss] [cache_req_process_input] (0x0400): [CID#6] CR #7: Parsing input name [abc12345]
(2022-08-24  2:02:44): [nss] [sss_parse_name_for_domains] (0x0200): [CID#6] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:02:44): [nss] [nss_get_object_send] (0x0400): [CID#6] Client [0x55e3a007a380][21]: sent cache request #7
(2022-08-24  2:02:44): [nss] [cache_req_set_name] (0x0400): [CID#6] CR #7: Setting name [abc12345]
(2022-08-24  2:02:44): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #7: Performing a multi-domain search
(2022-08-24  2:02:44): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #7: Search will check the cache and check the data provider
(2022-08-24  2:02:44): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #7: Using domain [hs-regensburg.de]
(2022-08-24  2:02:44): [nss] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #7: Preparing input data for domain [hs-regensburg.de] rules
(2022-08-24  2:02:44): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #7: Looking up abc12345@hs-regensburg.de
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: [abc12345@hs-regensburg.de] does not exist (negative cache)
(2022-08-24  2:02:44): [nss] [cache_req_process_result] (0x0400): [CID#6] CR #7: Finished: Not found
(2022-08-24  2:02:44): [nss] [client_recv] (0x0200): [CID#6] Client disconnected!

附錄 3 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep abc12345

(2022-08-24  2:05:41): [nss] [nss_getby_name] (0x0400): [CID#7] Input name: abc12345
(2022-08-24  2:05:41): [nss] [cache_req_process_input] (0x0400): [CID#7] CR #8: Parsing input name [abc12345]
(2022-08-24  2:05:41): [nss] [sss_parse_name_for_domains] (0x0200): [CID#7] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:05:41): [nss] [cache_req_set_name] (0x0400): [CID#7] CR #8: Setting name [abc12345]
(2022-08-24  2:05:41): [nss] [cache_req_search_send] (0x0400): [CID#7] CR #8: Looking up abc12345@hs-regensburg.de
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: [abc12345@hs-regensburg.de] is not present in negative cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_dp] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in data provider
(2022-08-24  2:05:41): [nss] [sss_dp_get_account_send] (0x0400): [CID#7] Creating request for [hs-regensburg.de][0x1][BE_REQ_USER][name=abc12345@hs-regensburg.de:-]
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#7] CR #8: Adding [abc12345@hs-regensburg.de] to negative cache
(2022-08-24  2:05:41): [nss] [sss_ncache_set_str] (0x0400): [CID#7] Adding [NCE/USER/hs-regensburg.de/abc12345@hs-regensburg.de] to negative cache

您似乎想要控制 SSSD 用於查找您的帳戶名稱的 LDAP 屬性。

根據sssd-ldap-attributes手冊頁,whenldap_schema設置為rfc2307(預設)rfc2307bis、 或IPA,然後ldap_user_name預設為uid.

ldap_schema設置為AD(對於 Active Directory)時,ldap_user_name預設為sAMAccountName.

因此,最簡單的解決方案可能是將您的 SSSD 實例配置為使用AD架構:

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = abc12345@hs-regensburg.de
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false

我自己無法對此進行測試(我無權訪問 AD 實例)。我在網上找到的大多數將 SSSD 連接到 Active Directory 後端的文件都假定您正在使用 Kerberos 身份驗證,因此可能並不完全適用於這種情況,但它們可能值得一讀(例如,sssd-ad(5)手冊頁,線上文件等)。

引用自:https://serverfault.com/questions/1108927