我正在尝试在名为ldap_client的ldap-client主机上运行debian 6上的openldap服务器上的ssh身份验证.
@H_403_1@这是ldapsearch在服务器上返回的内容:
==> / var / log / syslog< ==
12月7日16:42:43 ldap slapd [963]:< = bdb_equality_candidates 原文链接:https://www.f2er.com/bash/385433.html
dn: dc=localnet,dc=lan objectClass: dcObject objectClass: organization dc: localnet o: Some_Enterprise description: localnet.lan dn: ou=people,dc=localnet,dc=lan objectClass: top objectClass: organizationalUnit ou: people dn: ou=groups,dc=lan objectClass: top objectClass: organizationalUnit ou: groups dn: uid=joe,ou=people,dc=lan objectClass: account objectClass: posixAccount cn: joe uid: joe uidNumber: 10001 gidNumber: 2000 homeDirectory: /home/joe loginShell: /bin/sh gecos: joe description: joe@H_403_1@在客户端,我已经配置了libnss-ldap和nsswitch.conf如下;
passwd: files ldap group: files ldap shadow: files ldap@H_403_1@这样客户端上的unix命令id(id joe)就会返回它的uid / gid.因此用户被ldap识别. @H_403_1@但是经过几个小时google周围,我无法使用ssh在客户端上设置身份验证. @H_403_1@我在/etc/pam.d/commun-account,commun-auth和commun-password上有这些行
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure@H_403_1@这些在/etc/pam.d/ssh上
auth sufficient /lib/security/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass account required /lib/security/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so@H_403_1@我在/etc/ssh/sshd.conf上有usePam = yes. @H_403_1@以下是客户端上auth.log的输出:
==> /var/log/auth.log <== Dec 7 17:39:06 versionning sshd[3898]: pam_ldap: error trying to bind (Invalid credentials) Dec 7 17:39:06 versionning sshd[3898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.kimsufi.com user=joe Dec 7 17:39:08 versionning sshd[3898]: Failed password for joe from a.b.c.d port 58191 ssh2@H_403_1@在服务器上:
==> / var / log / syslog< ==
12月7日16:42:43 ldap slapd [963]:< = bdb_equality_candidates 原文链接:https://www.f2er.com/bash/385433.html
