使用具有代理授權的 GSSAPI 對 OpenLDAP 伺服器進行 NSS 查詢
如果在 Debian Buster 作業系統上使用帶有 nss-pam-ldapd 的 LDAP 身份驗證, SASL/GSSAPI 需要通過代理授權對 LDAP 伺服器進行 Kerberos 身份驗證。我嘗試在我的 Raspberry Pi 上將其配置為單點登錄,但無法使其正常工作。
我的 ldap 伺服器配置了How to setup SASL Proxy Authorization with an OpenLDAP server on Debian。我將代理使用者命名為proxyuser,因此它的專有名稱是
uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
.根據在 Debian 系統上使用 nss-pam-ldapd 的 LDAP 身份驗證,
libnss-ldapd
除了libpam-ldapd
GSSAPI 外掛之外,我還必須安裝軟體包libsasl2-modules-gssapi-mit
。但我將使用libpam-krb5
而不是libpam-ldapd
:rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils
安裝時會出現一個配置對話框,其中設置儲存在
/etc/nslcd.conf
和中/etc/nsswitch.conf
。我必須再次配置rpi ~$ sudo dpkg-reconfigure nslcd rpi ~$ sudo dpkg-reconfigure libnss-ldapd
我從對話框中給出的設置是:
rpi ~$ sudo cat /etc/nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://kdc-master.home.hoeft-online.de # The search base that will be used for all queries. base ou=home,dc=hoeft-online,dc=de # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off #tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub sasl_mech GSSAPI krb5_ccname /var/run/nslcd/nslcd.tkt sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
~$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
現在,
getent passwd
我希望從 LDAP 伺服器獲得ingo的憑據。它不儲存在本地/etc/passwd
。但我只從/etc/passwd
. 在 LDAP 伺服器的日誌中,我可以看到沒有嘗試綁定到proxyuser。我在這裡缺少什麼?為什麼
getent
不從 LDAP 伺服器獲取憑據?
簡短的回答
確保您
/etc/krb5.keytab
與您的host/*
委託人有效,例如:rpi ~$ sudo kadmin -p user/admin kadmin: addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de kadmin: ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de kadmin: q
nscd
如果可用,則禁用記憶體守護程序sudo systemctl disable --now nscd.service
。不要將其與nslcd
. 然後檢查代理授權:rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils rpi ~$ kinit -p ingo rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de" SASL/GSSAPI authentication started SASL username: ingo@HOME.HOEFT-ONLINE.DE SASL SSF: 256 SASL data security layer installed. dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de
然後安裝:
rpi ~$ sudo apt install libnss-ldapd kstart
只需接受安裝對話框中的預設設置即可。我們用這些配置文件覆蓋它們。將它們與您的設置一起使用:
nslcd.conf
~$ sudo cat /etc/nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # Logging options, default is info #log syslog debug # The location at which the LDAP server(s) should be reachable. uri ldap://kdc-master.home.hoeft-online.de # The search base that will be used for all queries. base ou=home,dc=hoeft-online,dc=de # The DN to bind with for normal lookups. binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de # Timing/reconnect options # You may optimize this for your environment #bind_timelimit 10 timelimit 30 idle_timelimit 3600 reconnect_sleeptime 2 #reconnect_retrytime 10 # SSL options #ssl off #tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # SASL options sasl_mech GSSAPI krb5_ccname /var/run/nslcd/nslcd.tkt # Other options nss_initgroups_ignoreusers ALLLOCAL
nsswitch.conf
~$ cat /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
重新啟動服務並檢查。確保ingo在
/etc/passwd
.rpi ~$ sudo systemctl restart nslcd.service rpi ~$ getent passwd | grep ingo
使用 Kerberos 身份驗證設置 PAM 登錄:
rpi ~$ sudo apt install libpam-krb5 rpi ~$ sudo pam-auth-update # select what you need [*] Kerberos authentication [*] Unix authentication [*] Create home directory on login # check rpi ~$ kdestroy rpi ~$ su -l ingo password: ingo@rpi ~$ klist ingo@rpi ~$ logout rpi ~$
安裝 nscd 記憶體守護程序(如果已經可用,則啟用它):
rpi ~$ sudo apt install nscd
就是這樣。
更多細節
我花了幾天時間檢查設置有什麼問題。對於故障排除,您可以在 LDAP 伺服器上增加日誌以調試輸出
olcLogLevel: any
:slapd ~$ echo 'dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: any' > /tmp/in.ldif slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif
在客戶端設備上,只需取消註釋
/etc/nslcd.conf
.重新啟動服務並禁用記憶體守護程序
nscd
(不要與混淆nslcd
),因為nscd
可能會混淆測試:rpi ~$ sudo systemctl restart nslcd.service rpi ~$ sudo systemctl disable --now nscd.service
完成後不要忘記恢復調試日誌並啟用nscd。執行
getent passwd
您將在客戶端日誌中看到它甚至沒有以 開頭GSSAPI client step 1
,什麼都沒有。我意識到 nslcd.service 沒有獲得任何憑據來/var/run/nslcd/nslcd.tkt
進行身份驗證。我四處尋找,發現/etc/default/nslcd
必須啟動/usr/bin/k5start
,但沒有安裝,也沒有記錄。所以只需安裝它:rpi ~$ sudo apt install kstart
現在日誌顯示 GSSAPI 從第 1 步開始,但隨後中止。
最令人困惑的是在安裝時出現的設置對話框
libnss-ldapd
。它要求我使用 GSSAPI 設置錯誤的條目,特別是代理使用者的可分辨名稱 (sasl_authzid)。這是不可用的。相反,您必須使用普通的binddn。只需接受對話框設置中的預設設置,然後使用簡短答案中的配置文件。我將systemd-networkd與systemd-resolved一起使用。使用 systemd 解析器時,我在登錄時遇到了令人討厭的 60 秒延遲,這是不可接受的。顯示
journal -b
查詢 ldap 伺服器的組成員身份在 60 秒後超時:Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online. Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon... Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start. Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting Feb 26 01:25:45 titan nslcd[455]: accepting connections Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd. Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon. Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost= Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0) Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533. Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533... Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local. Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533. Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533... Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms) Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1 Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0) Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533. Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.
經過幾天的錯誤搜尋,我發現該選項已
nss_initgroups_ignoreusers ALLLOCAL
修復/etc/nslcd.conf
此錯誤。此選項可防止通過非 LDAP 使用者的 LDAP 查找組成員資格。這意味著像系統帳戶這樣的本地註冊使用者將不會查找 LDAP 伺服器。