1. 首頁
  2. 問答
  3. nslcd認證與錯誤而失敗「查詢失敗:未返回任何結果」 LDAP用戶

nslcd認證與錯誤而失敗「查詢失敗:未返回任何結果」 LDAP用戶

2017-04-20 48 views
2

我使用nslcd服務SSH登錄時進行身份驗證LDAP用戶,它與下面的錯誤nslcd認證與錯誤而失敗「查詢失敗:未返回任何結果」 LDAP用戶

nslcd失敗:[16231b] UID = OMC,OU =人,OU =賬戶,DC =的NetAct,DC =淨:查找失敗:未返回任何結果

以下是LDAP用戶登錄期間nslcd調試日誌,

nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_rebind_proc() 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_simple_bind_s("uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/") 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net 
nslcd: [b127f8] <passwd="omc"> DEBUG: ldap_result(): end of results (1 total) 
nslcd: [16231b] DEBUG: connection from pid=7465 uid=0 gid=0 
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable 
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable 
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable 
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable 
nslcd: [16231b] <authc="omc"> DEBUG: nslcd_pam_authc("omc","sshd","***") 
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="ou=people,ou=accounts,dc=netact,dc=net", filter="(&(objectClass=posixAccount)(uid=omc))") 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): uid=omc,ou=people,ou=accounts,dc=netact,dc=net 
nslcd: [16231b] <authc="omc"> DEBUG: myldap_search(base="uid=omc,ou=people,ou=accounts,dc=netact,dc=net", filter="(objectClass=*)") 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_initialize(ldap://10.91.149.148/) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_rebind_proc() 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_simple_bind_s("uid=omc,ou=people,ou=accounts,dc=netact,dc=net","***") (uri="ldap://10.91.149.148/") 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_result(): end of results (0 total) 
nslcd: [16231b] <authc="omc"> uid=omc,ou=people,ou=accounts,dc=netact,dc=net: lookup failed: No results returned 
nslcd: [16231b] <authc="omc"> DEBUG: ldap_unbind()

下面是nslcd.conf:

[email protected]> cat /etc/nslcd.conf 
binddn uid=nea7yxpm,ou=people,ou=accounts,dc=netact,dc=net 
bindpw l0T%OSUe_7m_1~F 
tls_reqcert allow 

uri ldap://10.91.149.148/ 
base ou=people,ou=accounts,dc=netact,dc=net 
tls_cacertdir /etc/openldap/cacerts 
map passwd loginShell  "/usr/bin/bash" 
map passwd homeDirectory "/home/$uid"

下面是nsswitch.conf的:

[email protected]> cat /etc/nsswitch.conf 
# 
# /etc/nsswitch.conf 
# 
# An example Name Service Switch config file. This file should be 
# sorted with the most-used services at the beginning. 
# 
# The entry '[NOTFOUND=return]' means that the search for an 
# entry should stop if the search in the previous entry turned 
# up nothing. Note that if the search failed due to some other reason 
# (like no NIS server responding) then the search continues with the 
# next entry. 
# 
# Valid entries include: 
# 
#  nisplus     Use NIS+ (NIS version 3) 
#  nis      Use NIS (NIS version 2), also called YP 
#  dns      Use DNS (Domain Name Service) 
#  files     Use the local files 
#  db      Use the local database (.db) files 
#  compat     Use NIS on compat mode 
#  hesiod     Use Hesiod for user lookups 
#  [NOTFOUND=return]  Stop searching if not found so far 
# 
# To use db, put the "db" in front of "files" for entries you want to be 
# looked up first in the databases 
# 
# Example: 
#passwd: db files nisplus nis 
#shadow: db files nisplus nis 
#group:  db files nisplus nis 
passwd:  files ldap 
shadow:  files ldap 
group:  files ldap 
#initgroups: files 
#hosts:  db files nisplus nis dns 
hosts:  files dns 
# Example - obey only what nisplus tells us... 
#services: nisplus [NOTFOUND=return] files 
#networks: nisplus [NOTFOUND=return] files 
#protocols: nisplus [NOTFOUND=return] files 
#rpc:  nisplus [NOTFOUND=return] files 
#ethers:  nisplus [NOTFOUND=return] files 
#netmasks: nisplus [NOTFOUND=return] files 
bootparams: nisplus [NOTFOUND=return] files 
ethers:  files 
netmasks: files 
networks: files 
protocols: files 
rpc:  files 
services: files 
netgroup: files ldap 
publickey: nisplus 
automount: files ldap 
aliases: files nisplus 
[email protected]>

下面是PAM政策:

[email protected]> cat /etc/pam.d/password-auth 
#%PAM-1.0 
# This file is auto-generated. 
# User changes will be destroyed the next time authconfig is run. 
auth  required  pam_env.so 
auth  sufficient pam_unix.so try_first_pass 
auth  requisite  pam_succeed_if.so uid >= 500 quiet_success 
auth  sufficient pam_ldap.so use_first_pass 
auth  required  pam_deny.so 

account  required  pam_access.so 
account  required  pam_unix.so broken_shadow 
account  sufficient pam_localuser.so 
account  sufficient pam_succeed_if.so uid < 1000 quiet 
account  [default=bad success=ok user_unknown=ignore] pam_ldap.so 
account  required  pam_permit.so 

password requisite  pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 dcredit=-1 ocredit=-1 ucredit=0 lcredit=0 minlen=8 maxrepeat=1 maxsequence=4 reject_username 
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok 
password sufficient pam_ldap.so use_authtok 
password required  pam_deny.so 

session  optional  pam_keyinit.so revoke 
session  required  pam_limits.so 
-session  optional  pam_systemd.so 
session  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session  required  pam_unix.so 
session  optional  pam_ldap.so

我看到的設置是正確配置,即使在當時nslcd未能到LDAP用戶進行身份驗證。你能在這裏幫忙嗎?

來源

2017-04-20 sach

+0

你在錯誤的平臺上浪費你的聲譽。你的問題更適合[Server Fault](http://serverfault.com/tour)或[Unix&Linux](http://unix.stackexchange.com/tour)。 – Cyrus

+0

當您在源於同一主機的命令行上使用ldapsearch執行相同的查詢時,會發生什麼?使用相同的連接和身份驗證機制(這可能很難完全正確)以及相同的憑據?它是否會返回除空結果之外的其他內容?如果是,請用所有參數顯示確切的ldapsearch調用。 – blubberdiblub

回答

1

感謝所有對此問題有所思考的人。

我發現了真正的問題:

經鑑定,登錄名和組問題是由於LDAP服務器中實現ACI(訪問控制列表)。 在nslcd.conf中使用的用戶「uid = nea7yxpm,ou = people,ou = accounts,dc = netact,dc = net」沒有讀取訪問權限,因此在身份驗證過程中,上述ACI規則阻止ldap用戶在其中訪問信息因此認證失敗。

要解決此問題,添加了ACI規則以具有對用戶的讀取權限並驗證成功。

來源

2017-05-17 04:12:17 sach

相關問題

 相關問題