我已经在 Centos 7 (OpenLDAP 2.4.39) 上设置了测试 LDAP 服务器和客户端。我可以在客户端上执行 ldapsearch,但在运行“id ${USER}”时无法获得正确的身份验证。似乎有些东西没有获取正确的 TLS 证书(在客户端上?),因为当在客户端上发出“id”命令时,服务器日志显示“无证书”。以下是命令输出以及/etc/sssd/sssd.conf 和/etc/nsswitch.conf。我错过了什么?
客户端能够使用用户 dn 正确执行 ldap 搜索:
# ldapsearch -x -H ldaps://ldapserver.xxxxxxx.com -D "uid=nssproxy,ou=users,dc=xxxxxxx,dc=com" -W -d -1
...
tls_read: want=48, got=48
0000: 98 6b 1f 36 29 b7 2a 95 c9 88 5f 9b a5 d3 04 2e .k.6).*..._.....
0010: 3c 04 02 a1 b6 49 1a 40 fc ad 7e ba 62 c4 db 48 <....I.@..~.b..H
0020: 16 48 31 92 6e 8d fb f8 09 8d 47 06 5d 7f 1d 67 .H1.n.....G.]..g
TLS certificate verification: subject: CN=ldapserver.xxxxxxx.com, issuer: CN=CAcert,DC=xxxxxxx,DC=com, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache\
misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
...
返回结果:
dn: uid=nssproxy,ou=users,dc=xxxxxxx,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 1003
gidNumber: 1002
userPassword:: MTIzNDU=
cn: nssproxy
sn: nssproxy
homeDirectory: /home/nssproxy
uid: nssproxy
客户端运行“id ${USER}”命令时的服务器日志:
TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 220, cache not reusable: 0
5534a6b6 connection_read(19): unable to get TLS client DN, error=49 id=1219
5534a6b6 conn=1219 fd=19 TLS established tls_ssf=128 ssf=128
5534a6b6 daemon: activity on 1 descriptor
5534a6b6 daemon: activity on:5534a6b6
5534a6b6 daemon: epoll: listen=8 active_threads=0 tvp=zero
客户端计算机上的/etc/sssd/sssd.conf:
# cat sssd.conf
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,newsnsdc
[domain/default]
# comment out ldap_tls_reqcert also doesn't work
ldap_tls_reqcert = never
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxxxxxx,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_uri = ldaps://ldapserver.xxxxxxx.com
ldap_id_use_start_tls = False
ldap_bind_dn = uid=nssproxy,ou=users,dc=xxxxxxx,dc=com
ldap_chpass_uri = ldaps://ldapserver.xxxxxxx.com
ldap_default_authtok_type = password
ldap_default_authtok = 12345
ldap_id_use_start_tls = False
客户端上的/etc/nsswitch.conf:
# cat /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
最佳答案
找出问题所在。由于服务器禁止匿名绑定(bind),因此需要在客户端上放置 ldap_default_bind_dn。
关于linux - OpenLDAP Centos 7 "no certificate"当客户端使用 'id ${USER}' 进行查询时,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29742040/