Pam
sssd-ldap 可以對非 posix 使用者進行身份驗證嗎?
我正在將密封的 MSA 從使用遷移
pam_ldap
到pam_sss
(sssd-ldap)。但是,pam_sss 似乎無法在沒有uidNumbers
. 我曾認為ldap_user_object_class
從posixAccount
to更改top
可以解決此問題,但事實並非如此。具有 uidNumbers 的使用者似乎很好。雖然可以預料 sssd 需要 uidNumbersnss
,但我不明白為什麼需要它們pam
。系統日誌設施認證:
Aug 6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module) # cat /etc/pam.d/smtp #%PAM-1.0 auth sufficient pam_sss.so account sufficient pam_sss.so # cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = pam domains = example.com-ldap [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/example.com-ldap] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com, _srv_ ldap_user_object_class = top ldap_search_base = dc=example,dc=com ldap_user_search_base = ou=users,dc=example,dc=com?onelevel? ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel? ldap_schema = rfc2307bis ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt $ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))" dn: uid=non-posix-user objectClass: organizationalRole objectClass: inetLocalMailRecipient objectClass: simpleSecurityObject objectClass: uidObject cn: non-posix-user mailLocalAddress: non-posix-user@example.com mailRoutingAddress: non-posix-users@example.com mailHost: mailstore.example.com roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K uid: non-posix-user
目前,SSSD 只處理系統使用者,即有 ID 的使用者。ID 可以直接在 LDAP 中定義,也可以從 SID 派生。
SSSD 目前不支持您的案例,抱歉。