在ubuntu 14.04上安装LDAP
我正在尝试在Ubuntu Server 14.04 LTS和客户端(Ubuntu 14.04和/或Linux Mint 17)上配置OpenLDAP。 它适用于su命令,ssh或终端,但它在登录屏幕上不起作用。 安装完成后,我可以在登录屏幕上看到LDAP用户,但几分钟后,只有本地用户可用。 /var/log/auth.log给我:
Feb 17 21:33:50 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:50 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:50 PC1 sh: nss_ldap: reconnecting to LDAP server... Feb 17 21:33:50 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:50 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:50 PC1 sh: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: could not search LDAP server - Server is unavailable Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: reconnecting to LDAP server... Feb 17 21:33:51 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:51 PC1 sh: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Feb 17 21:33:52 PC1 sshd[968]: Server listening on 0.0.0.0 port 22. Feb 17 21:33:52 PC1 sshd[968]: Server listening on :: port 22. Feb 17 21:33:52 PC1 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Feb 17 21:33:52 PC1 lightdm: PAM adding faulty module: pam_kwallet.so Feb 17 21:33:52 PC1 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Feb 17 21:33:52 PC1 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Feb 17 21:33:52 PC1 lightdm: PAM adding faulty module: pam_kwallet.so Feb 17 21:33:52 PC1 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "adminlocal" Feb 17 21:33:52 PC1 sh: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=local - Can't contact LDAP server Feb 17 21:33:52 PC1 sh: nss_ldap: failed to bind to LDAP server ldap://192.168.0.22: Can't contact LDAP server Feb 17 21:33:52 PC1 sh: nss_ldap: could not search LDAP server - Server is unavailable Feb 17 21:33:54 PC1 dbus[431]: [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.42" (uid=0 pid=1518 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(un$ Feb 17 21:34:04 PC1 dbus[431]: [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.42" (uid=0 pid=1518 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(un$ Feb 17 21:34:18 PC1 sshd[1728]: Accepted password for adminlocal from 192.168.0.53 port 61914 ssh2 Feb 17 21:34:18 PC1 sshd[1728]: pam_unix(sshd:session): session opened for user adminlocal by (uid=0) Feb 17 21:34:44 PC1 sudo: pam_unix(sudo:auth): authentication failure; logname=adminlocal uid=1000 euid=0 tty=/dev/pts/1 ruser=adminlocal rhost= user=adminlocal Feb 17 21:34:49 PC1 sudo: adminlocal : TTY=pts/1 ; PWD=/home/adminlocal ; USER=root ; COMMAND=/usr/bin/nano /var/log/nscd.log Feb 17 21:34:49 PC1 sudo: pam_unix(sudo:session): session opened for user root by adminlocal(uid=0) Feb 17 21:34:51 PC1 sudo: pam_unix(sudo:session): session closed for user root
Getent passwd向我展示了ldap用户,所以我认为这是一个轻量级的问题……我尝试了几个指南,没有成功。 有没有人处于相同的情况? 我能做什么 ? 非常感谢你。 弗洛朗
重现的步骤
修复静态IP:
sudo nano /etc/network/interfaces […] auto eth0 iface eth0 inet static address 192.168.0.22 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.254 dns-nameservers 8.8.8.8
安装LDAP
sudo apt-get install slapd ldap-utils sudo dpkg-reconfigure slapd
没有
example.com
示例公司
密码x2
HDB,否,是,否(默认值)
安装phpldapadmin(也尝试使用ldif文件)
sudo apt-get install phpldapadmin sudo nano /etc/phpldapadmin/config.php [line 161] $config->custom->appearance['hide_template_warning'] = true; [...] $servers->setValue('server','host','192.168.0.22'); [...] $servers->setValue('server','base',array('dc=aldarim,dc=local')); [...] $servers->setValue('login','bind_id','cn=admin,dc=aldarim,dc=local'); sudo nano /usr/share/phpldapadmin/lib/TemplateRender.php [Line 2469] $default = $this->getServer()->getValue('appearance','password_hash_custom');
配置LDAP
http://192.168.0.22/phpldapadmin
- Make 2 Generic:Organizational Unit => Groups&People
- 在“组”下,创建2个Posix组=> admin&employees
- 在People下,创建用户
在服务器上安装ldap客户端
sudo apt-get install libpam-ldap nscd
LDAP://127.0.0.1
DC =例如,DC = com的
3,是,否(默认值)
CN =管理员,DC =例如,DC = com的
管理员密码
nano /etc/nsswitch.conf [...] passwd: compat ldap group: compat ldap shadow: compat ldap [...] sudo reboot
客户端配置
sudo apt-get install libpam-ldap nscd
LDAP://192.168.0.22
DC =例如,DC = com的
3,是,否(默认值)
CN =管理员,DC =例如,DC = com的
管理员密码
nano /etc/nsswitch.conf [...] passwd: compat ldap group: compat ldap shadow: compat ldap [...] sudo reboot
备用客户端配置:
sudo apt-get install libnss-ldap ldap-auth-config sudo auth-client-config -t nss -p lac_ldap sudo pam-auth-update
同样的错误……
问题在于与配置的差异。 dc必须与域example.com
匹配,但在phpldapadmin中,您将dc配置为aldarim.local
。 以下是您的设置:
LDAP配置:
- 没有
- example.com
- 示例公司
- 密码x2
- HDB,否,是,否(默认值)
和phpldapadmin配置:
sudo nano /etc/phpldapadmin/config.php [line 161] $config->custom->appearance['hide_template_warning'] = true; [...] $servers->setValue('server','host','192.168.0.22'); [...] $servers->setValue('server','base',array('dc=aldarim,dc=local')); [...] $servers->setValue('login','bind_id','cn=admin,dc=aldarim,dc=local');
下面是一个域应该如何匹配的示例,即使您使用IP地址:请参阅本教程 ,它可以让您知道您可以输入任何内容,但这两个设置必须匹配。
更改您的LDAP配置以使用aldarim.local
并调用aldarim公司,您应该没问题。 或者更改以下行以使用example.com
$servers->setValue('server','base',array('dc=example,dc=com')); [...] $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
无论如何,他们必须匹配。