Pam

sssd-ldap 可以對非 posix 使用者進行身份驗證嗎?

  • January 9, 2015

我正在將密封的 MSA 從使用遷移pam_ldappam_sss(sssd-ldap)。但是,pam_sss 似乎無法在沒有uidNumbers. 我曾認為 ldap_user_object_classposixAccountto更改top可以解決此問題,但事實並非如此。具有 uidNumbers 的使用者似乎很好。雖然可以預料 sssd 需要 uidNumbers nss,但我不明白為什麼需要它們pam

系統日誌設施認證:

Aug  6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module)

# cat /etc/pam.d/smtp
#%PAM-1.0
auth    sufficient  pam_sss.so
account sufficient  pam_sss.so

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = example.com-ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com-ldap]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com, _srv_
ldap_user_object_class = top
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

$ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))"
dn: uid=non-posix-user
objectClass: organizationalRole
objectClass: inetLocalMailRecipient
objectClass: simpleSecurityObject
objectClass: uidObject
cn: non-posix-user
mailLocalAddress: non-posix-user@example.com
mailRoutingAddress: non-posix-users@example.com
mailHost: mailstore.example.com
roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com
roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com
userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K
uid: non-posix-user

目前,SSSD 只處理系統使用者,即有 ID 的使用者。ID 可以直接在 LDAP 中定義,也可以從 SID 派生。

SSSD 目前不支持您的案例,抱歉。

引用自:https://serverfault.com/questions/618493