Ssh
通過 LDAP 進行身份驗證:ldap_search_ext 在哪裡定義?
有兩台 RHEL 8 伺服器是從同一個模板配置的,僅在第一台伺服器上手動完成了一些手動修復和調整。它們允許通過遠端 LDAP 伺服器進行 SSH 使用者身份驗證,並且已使用 authselect 進行配置:
authselect select sssd --force第一台伺服器執行良好,而第二台伺服器的 SSH 身份驗證失敗。我正在尋找它們之間的區別,因為它們的 LDAP、PAM、
sssd和nscd配置看起來相同。編輯 11/6:
nslcd守護程序處於非活動狀態;它具有預設配置,在兩台伺服器上都相同。
還值得注意的是,getent passwd正確返回了所有 LDAP 使用者,但這些使用者無法通過 SSH 登錄。sshd配置也是一樣的。通過閱讀
sssd日誌,我發現第一台伺服器呼叫(正確ldap_search_ext)[(&(uid=dr01)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=org]而第二個使用(失敗)搜尋
[(&(uid=dr01)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=org]因此,在第二台伺服器上,查詢包括一個額外的
(uid=*). 它還在第一次搜尋中引用了 BE_REQ_USER 與 BE_REQ_INITGROUPS(請參閱下面的日誌)。這將返回零結果。所以,我想知道呼叫
ldap_search_ext的定義在哪裡。以下是第一台伺服器的日誌摘錄:
(Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [dp_get_account_info_send] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=dr01@mydomain.org] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sss_domain_get_state] (0x1000): Domain mydomain.org is Active (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [dp_attach_req] (0x0400): DP Request [Initgroups #13]: New request. Flags [0x0001]. (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sss_domain_get_state] (0x1000): Domain mydomain.org is Active (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=org] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dr01)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=org]. (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jun 7 15:15:46 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (...) (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.第二個:
(Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=dr01@mydomain.org] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [dp_attach_req] (0x0400): DP Request [Account #8]: New request. Flags [0x0001]. (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sss_domain_get_state] (0x1000): Domain mydomain.org is Active (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=org] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dr01)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=org]. (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jun 7 15:20:50 2019) [sssd[be[mydomain.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
發現了問題。配置包含該
sssd行ldap_access_filter = (host=<hostname>.mydomain.org)其中hostname是每個伺服器的本地主機名。但是,LDAP 伺服器中沒有引用第二個伺服器,只有第一個被引用。在 LDAP 上為第二台服務器添加條目解決了該問題。