ldapsearch 找到我的帳戶/使用者,sssd 沒有
我正在嘗試設置新伺服器(Ubuntu 22.04 LTS)並使用組織帳戶對使用者進行身份驗證。
這是提供的公共文件: https ://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth
當執行故障排除部分中指定的 ldapsearch 時,我可以找到格式為 abc12345 的使用者以及所有可用數據。
ldapsearch \ -A -H 'ldaps://adldap.hs-regensburg.de' \ -b 'DC=hs-regensburg,DC=de' \ -D 'abc12345@hs-regensburg.de' \ -W -z 0 -LLL -E pr=1000/noprompt sAMAccountName=abc12345
輸出–>附錄1
但是在執行時
getent passwd abc12345
我沒有得到任何輸出和附錄 2-3 中的日誌文件。我會說 ldap 根本找不到給定的使用者名abc12345
。這是我的
sssd.conf
:[sssd] config_file_version = 2 domains = hs-regensburg.de [domain/hs-regensburg.de] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://adldap.hs-regensburg.de/ ldap_search_base = dc=hs-regensburg,dc=de ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de #ldap_default_bind_dn = abc12345@hs-regensburg.de ldap_default_authtok_type = password ldap_default_authtok = insertPassword cache_credentials = false
- 我必須對我的 sssd.conf 進行哪些更改,以便 sssd 也可以找到我的使用者,就像 ldapsearch 一樣?
- sAMAccountName/samAccountName 究竟是什麼?
- 如果我像這樣設置我的身份驗證會有什麼好處:https ://ubuntu.com/server/docs/service-sssd-ldap-krb
- 提供的文件是否足以設置這樣的系統?
我很感激任何幫助。如果您需要我提供更多資訊,我將很樂意提供您需要的任何東西。
附錄1
Enter LDAP Password: dn: CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de objectClass: cn: sn: c: l: st: title: postalCode: givenName: distinguishedName: instanceType: whenCreated: whenChanged: displayName: uSNCreated: memberOf: uSNChanged: department: proxyAddresses: streetAddress: name: objectGUID: userAccountControl: badPwdCount: codePage: countryCode: homeDirectory: homeDrive: badPasswordTime: lastLogoff: lastLogon: pwdLastSet: primaryGroupID: profilePath: objectSid: accountExpires: logonCount: sAMAccountName: sAMAccountType: showInAddressBook: legacyExchangeDN: userPrincipalName: objectCategory: dSCorePropagationData: lastLogonTimestamp: uid: mail: uidNumber: gidNumber: unixHomeDirectory: loginShell: mDBUseDefaults: msExchWhenMailboxCreated: extensionAttribute9: msExchUMDtmfMap: msExchMailboxSecurityDescriptor: hsrInternalMail: msExchArchiveWarnQuota: msExchHomeServerName: msExchTextMessagingState: msExchPoliciesExcluded: msExchDumpsterQuota: msExchRBACPolicyLink: msExchUserAccountControl: msExchMobileMailboxFlags: msExchArchiveQuota: msExchDumpsterWarningQuota: mailNickname: msExchUserCulture: msExchVersion: msExchELCMailboxFlags: homeMDB: msExchMailboxGuid: msExchRecipientTypeDetails: msExchRecipientDisplayType: msExchCalendarLoggingQuota: # refldaps://hs-regensburg.de/CN=Configuration,DC=hs-regensburg,DC=de # pagedresults: cookie=
附錄二
root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep --color 'abc12345\|$'
(2022-08-24 2:02:44): [nss] [accept_fd_handler] (0x0400): [CID#6] Client [cmd getent][uid 1001][0x55e3a007a380][21] connected! (2022-08-24 2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Received client version [1]. (2022-08-24 2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Offered version [1]. (2022-08-24 2:02:44): [nss] [nss_getby_name] (0x0400): [CID#6] Input name: abc12345 (2022-08-24 2:02:44): [nss] [cache_req_send] (0x0400): [CID#6] CR #7: REQ_TRACE: New request [CID #6] 'User by name' (2022-08-24 2:02:44): [nss] [cache_req_process_input] (0x0400): [CID#6] CR #7: Parsing input name [abc12345] (2022-08-24 2:02:44): [nss] [sss_parse_name_for_domains] (0x0200): [CID#6] name 'abc12345' matched without domain, user is abc12345 (2022-08-24 2:02:44): [nss] [nss_get_object_send] (0x0400): [CID#6] Client [0x55e3a007a380][21]: sent cache request #7 (2022-08-24 2:02:44): [nss] [cache_req_set_name] (0x0400): [CID#6] CR #7: Setting name [abc12345] (2022-08-24 2:02:44): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #7: Performing a multi-domain search (2022-08-24 2:02:44): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #7: Search will check the cache and check the data provider (2022-08-24 2:02:44): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #7: Using domain [hs-regensburg.de] (2022-08-24 2:02:44): [nss] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #7: Preparing input data for domain [hs-regensburg.de] rules (2022-08-24 2:02:44): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #7: Looking up abc12345@hs-regensburg.de (2022-08-24 2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: Checking negative cache for [abc12345@hs-regensburg.de] (2022-08-24 2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: [abc12345@hs-regensburg.de] does not exist (negative cache) (2022-08-24 2:02:44): [nss] [cache_req_process_result] (0x0400): [CID#6] CR #7: Finished: Not found (2022-08-24 2:02:44): [nss] [client_recv] (0x0200): [CID#6] Client disconnected!
附錄 3
root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep abc12345
(2022-08-24 2:05:41): [nss] [nss_getby_name] (0x0400): [CID#7] Input name: abc12345 (2022-08-24 2:05:41): [nss] [cache_req_process_input] (0x0400): [CID#7] CR #8: Parsing input name [abc12345] (2022-08-24 2:05:41): [nss] [sss_parse_name_for_domains] (0x0200): [CID#7] name 'abc12345' matched without domain, user is abc12345 (2022-08-24 2:05:41): [nss] [cache_req_set_name] (0x0400): [CID#7] CR #8: Setting name [abc12345] (2022-08-24 2:05:41): [nss] [cache_req_search_send] (0x0400): [CID#7] CR #8: Looking up abc12345@hs-regensburg.de (2022-08-24 2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: Checking negative cache for [abc12345@hs-regensburg.de] (2022-08-24 2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: [abc12345@hs-regensburg.de] is not present in negative cache (2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache (2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache (2022-08-24 2:05:41): [nss] [cache_req_search_dp] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in data provider (2022-08-24 2:05:41): [nss] [sss_dp_get_account_send] (0x0400): [CID#7] Creating request for [hs-regensburg.de][0x1][BE_REQ_USER][name=abc12345@hs-regensburg.de:-] (2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache (2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache (2022-08-24 2:05:41): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#7] CR #8: Adding [abc12345@hs-regensburg.de] to negative cache (2022-08-24 2:05:41): [nss] [sss_ncache_set_str] (0x0400): [CID#7] Adding [NCE/USER/hs-regensburg.de/abc12345@hs-regensburg.de] to negative cache
您似乎想要控制 SSSD 用於查找您的帳戶名稱的 LDAP 屬性。
根據
sssd-ldap-attributes
手冊頁,whenldap_schema
設置為rfc2307
(預設)rfc2307bis
、 或IPA
,然後ldap_user_name
預設為uid
.當
ldap_schema
設置為AD
(對於 Active Directory)時,ldap_user_name
預設為sAMAccountName
.因此,最簡單的解決方案可能是將您的 SSSD 實例配置為使用
AD
架構:[domain/hs-regensburg.de] id_provider = ldap auth_provider = ldap ldap_schema = AD ldap_uri = ldaps://adldap.hs-regensburg.de/ ldap_search_base = dc=hs-regensburg,dc=de ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de #ldap_default_bind_dn = abc12345@hs-regensburg.de ldap_default_authtok_type = password ldap_default_authtok = insertPassword cache_credentials = false
我自己無法對此進行測試(我無權訪問 AD 實例)。我在網上找到的大多數將 SSSD 連接到 Active Directory 後端的文件都假定您正在使用 Kerberos 身份驗證,因此可能並不完全適用於這種情況,但它們可能值得一讀(例如,
sssd-ad(5)
手冊頁,線上文件等)。