Pam-Ldap

使用具有代理授權的 GSSAPI 對 OpenLDAP 伺服器進行 NSS 查詢

  • February 26, 2020

如果在 Debian Buster 作業系統上使用帶有 nss-pam-ldapd 的 LDAP 身份驗證, SASL/GSSAPI 需要通過代理授權對 LDAP 伺服器進行 Kerberos 身份驗證。我嘗試在我的 Raspberry Pi 上將其配置為單點登錄,但無法使其正常工作。

我的 ldap 伺服器配置了How to setup SASL Proxy Authorization with an OpenLDAP server on Debian。我將代理使用者命名為proxyuser,因此它的專有名稱是uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de.

根據在 Debian 系統上使用 nss-pam-ldapd 的 LDAP 身份驗證,libnss-ldapd除了libpam-ldapdGSSAPI 外掛之外,我還必須安裝軟體包libsasl2-modules-gssapi-mit。但我將使用libpam-krb5而不是libpam-ldapd

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils

安裝時會出現一個配置對話框,其中設置儲存在/etc/nslcd.conf和中/etc/nsswitch.conf。我必須再次配置

rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd

我從對話框中給出的設置是:

rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

現在,getent passwd我希望從 LDAP 伺服器獲得ingo的憑據。它不儲存在本地/etc/passwd。但我只從/etc/passwd. 在 LDAP 伺服器的日誌中,我可以看到沒有嘗試綁定到proxyuser。我在這裡缺少什麼?

為什麼getent不從 LDAP 伺服器獲取憑據?

簡短的回答

確保您/etc/krb5.keytab與您的host/*委託人有效,例如:

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin:  ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin:  q

nscd如果可用,則禁用記憶體守護程序sudo systemctl disable --now nscd.service。不要將其與nslcd. 然後檢查代理授權

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: ingo@HOME.HOEFT-ONLINE.DE
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de

然後安裝:

rpi ~$ sudo apt install libnss-ldapd kstart

只需接受安裝對話框中的預設設置即可。我們用這些配置文件覆蓋它們。將它們與您的設置一起使用:

nslcd.conf

~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# Logging options, default is info
#log syslog debug

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt

# Other options
nss_initgroups_ignoreusers ALLLOCAL

nsswitch.conf

~$ cat /etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

重新啟動服務並檢查。確保ingo/etc/passwd.

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo

使用 Kerberos 身份驗證設置 PAM 登錄:

rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login

# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$

安裝 nscd 記憶體守護程序(如果已經可用,則啟用它):

rpi ~$ sudo apt install nscd

就是這樣。

更多細節

我花了幾天時間檢查設置有什麼問題。對於故障排除,您可以在 LDAP 伺服器上增加日誌以調試輸出olcLogLevel: any

slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif

slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif

在客戶端設備上,只需取消註釋/etc/nslcd.conf.

重新啟動服務並禁用記憶體守護程序nscd(不要與混淆nslcd),因為nscd可能會混淆測試:

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service

完成後不要忘記恢復調試日誌並啟用nscd。執行getent passwd您將在客戶端日誌中看到它甚至沒有以 開頭GSSAPI client step 1,什麼都沒有。我意識到 nslcd.service 沒有獲得任何憑據來/var/run/nslcd/nslcd.tkt進行身份驗證。我四處尋找,發現/etc/default/nslcd必須啟動/usr/bin/k5start,但沒有安裝,也沒有記錄。所以只需安裝它:

rpi ~$ sudo apt install kstart

現在日誌顯示 GSSAPI 從第 1 步開始,但隨後中止。

最令人困惑的是在安裝時出現的設置對話框libnss-ldapd。它要求我使用 GSSAPI 設置錯誤的條目,特別是代理使用者的可分辨名稱 (sasl_authzid)。這是不可用的。相反,您必須使用普通的binddn。只需接受對話框設置中的預設設置,然後使用簡短答案中的配置文件。

我將systemd-networkdsystemd-resolved一起使用。使用 systemd 解析器時,我在登錄時遇到了令人討厭的 60 秒延遲,這是不可接受的。顯示journal -b查詢 ldap 伺服器的組成員身份在 60 秒後超時:

Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...

Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument

Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.

經過幾天的錯誤搜尋,我發現該選項已nss_initgroups_ignoreusers ALLLOCAL修復/etc/nslcd.conf此錯誤。此選項可防止通過非 LDAP 使用者的 LDAP 查找組成員資格。這意味著像系統帳戶這樣的本地註冊使用者將不會查找 LDAP 伺服器。

引用自:https://serverfault.com/questions/993928