인증 Linux<->LDAP 프로토콜<->AD(Active Directory): 비밀번호를 사용한 로그인 실패

tag-icon tag-icon authentication pam ldap active-directory nsswitch
인증 Linux<->LDAP 프로토콜<->AD(Active Directory): 비밀번호를 사용한 로그인 실패

나는 이것에 많은 시간을 보냈고 성공적으로 (Auth)Linux-LDAP-openLDAP를 인증했습니다. 하지만 AD에 의해 차단되었습니다. 이제 루트 계정에서 사용자로 전환할 수 있지만 비밀번호로 로그인할 수 없습니다(pam_unix(sshd:auth): 인증 실패). pam 디버깅을 켜고 여기에 질문할 수 있는지 살펴보겠습니다. 도움을 받으려면 여기에 자세한 단계를 나열하고 싶습니다. userPassword(dsHeuristics를 000000001로 설정함) 또는 unixUserPassword 속성과 관련이 있는지는 확실하지 않지만 계속 조사하겠습니다.

  1. Windows Server 2012 R2(AD) 측: AD DS를 설정합니다. AD에 SSL을 활성화합니다. 설치됨UNIX ID 관리 전역 디렉터리에 속성(uidNumber, gidNumber, unixHomeDirectory)을 추가합니다.개요. 여러 사용자(luser02, 바인딩 사용자, luser03, luser04)와 그룹(unixGrp2)이 추가되었고 각각 posixAccount/posixGroup이 설정되었습니다. 이를 확인하기 위해 다음 ldapsearch을 사용하여 CentOS 6을 타겟팅할 수 있습니다.

    ldapsearch -x -H ldap://114.116.43.118:389 -D "CN=luser02,CN=Users,DC=kelamayi,DC=com" -b "DC=kelamayi,DC=com" -W sAMAccountName=luser03

    # extended LDIF
#
# LDAPv3
# base <DC=kelamayi,DC=com> with scope subtree
# filter: sAMAccountName=luser03
# requesting: ALL
#

# luser03, Users, kelamayi.com
dn: CN=luser03,CN=Users,DC=kelamayi,DC=com
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: luser03
givenName: luser03
distinguishedName: CN=luser03,CN=Users,DC=kelamayi,DC=com
instanceType: 4
whenCreated: 20180824095929.0Z
whenChanged: 20180824103333.0Z
displayName: luser03
uSNCreated: 24826
memberOf: CN=unigGrp2,DC=kelamayi,DC=com
memberOf: CN=unixGrp,DC=kelamayi,DC=com
uSNChanged: 24861
name: luser03
objectGUID:: Q/Bx5j48CEWikaDPlHoyRw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131795783694428731
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA3G4iEdoCV++319XAWgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: luser03
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kelamayi,DC=com
dSCorePropagationData: 16010101000000.0Z
uidNumber: 20003
gidNumber: 20001
unixHomeDirectory: /home/luser03
loginShell: /bin/bash

# search reference
ref: ldap://ForestDnsZones.kelamayi.com/DC=ForestDnsZones,DC=kelamayi,DC=com

# search reference
ref: ldap://DomainDnsZones.kelamayi.com/DC=DomainDnsZones,DC=kelamayi,DC=com

# search reference
ref: ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

    Java API를 사용하여 LDAP를 통해 AD에 연결할 수도 있습니다. 효과 getent passwd도 매우 좋습니다.

    $ getent passwd luser03
luser03:*:20003:513:luser03:/home/luser03:/bin/bash
$ getent passwd 20002
luser02:*:20002:513:luser02:/home/luser02:/bin/bash
$ getent passwd 20003
luser03:*:20003:513:luser03:/home/luser03:/bin/bash

  2. Linux(CentOS 6): 아래에 첨부 파일을 나열하겠습니다.

    grep -v '^$\|^\s*\#' /etc/nslcd.conf:

    binddn CN=luser02,CN=Users,DC=kelamayi,DC=com
bindpw Passw0rd
uid nslcd
gid ldap
uri ldap://114.116.43.118:389/
base dc=kelamayi,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
filter passwd (objectClass=user)
filter group  (objectClass=group)
map     passwd uid sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member

    grep -v '^$\|^\s*\#' /etc/openldap/ldap.conf:

    base dc=kelamayi,dc=com
uri ldap://114.116.43.118:389/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

    grep -v '^$\|^\s*\#' /etc/pam_ldap.conf:

    base dc=kelamayi,dc=com
uri ldap://114.116.43.118:389/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

    grep -v '^$\|^\s*\#' /etc/pam.d/system-auth:

    auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

    grep -v '^$\|^\s*\#' /etc/pam.d/password-auth:

    auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

    grep -v '^$\|^\s*\#' /etc/nsswitch:

    passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

  3. 테스트 및 디버깅:

    ssh -v [email protected]
nslcd -d
tail -f -n /var/log/secure

    SSH 로그:

    debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

     here pending for a while, about 10 seconds.

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]'s password:

    디버깅 nslcd. 비밀번호를 입력하기 전에 로그에 "ldap_result() 시간 초과"가 왜 있는지 모르겠습니다. (이 성능 문제는 Stefan에 의해 해결되었습니다. 그에게 감사드립니다!)

    nslcd: DEBUG: add_uri(ldap://114.116.43.118:389/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections

nslcd: [8b4567] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [8b4567] DEBUG: rebinding to ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com")
nslcd: [8b4567] ldap_result() timed out
nslcd: [8b4567] DEBUG: ldap_abandon()
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [7b23c6] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [7b23c6] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [3c9869] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [3c9869] DEBUG: ldap_result(): end of results
nslcd: [334873] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [334873] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [334873] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [334873] DEBUG: ldap_result(): end of results

    /var/log/secure:

    Aug 24 19:42:07 ecs-c191-0006 sshd[2856]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=114.116.42.247  user=luser03

    다음을 통해 pam 디버깅을 활성화해 보십시오.PAM을 열어 Syslog로 디버깅, 하지만 빌드할 때 또 다른 오류가 발생했습니다.

    patching file modules/pam_unix/pam_unix_passwd.c
Hunk #1 succeeded at 233 (offset -7 lines).
patching file modules/pam_unix/pam_unix.8.xml
patching file modules/pam_unix/passverify.c
Hunk #1 succeeded at 1088 (offset -7 lines).
patching file modules/pam_unix/passverify.h
patching file modules/pam_unix/support.c
Hunk #1 FAILED at 495.
1 out of 1 hunk FAILED -- saving rejects to file modules/pam_unix/support.c.rej

답변1

getent passwd먼저, PAM 구성을 변경하기 전에 연결을 테스트하는 것이 좋습니다.

귀하의 구성을 사용하면 대기 시간이 길고 가끔 시간 초과가 발생하는 문제도 발생했습니다. base dc=kelamayi,dc=com지도별 검색 라이브러리가 아닌 검색 라이브러리로만 정의했기 때문에 이런 일이 발생한다고 생각합니다 .

~에 따르면사람 5 nslcd.conf

   base [MAP] DN
      Specifies the base distinguished name (DN) to use as search base.  This option  may
      be supplied multiple times and all specified bases will be searched.

      A  global  search  base may be specified or a MAP-specific one.  If no MAP-specific
      search bases are defined the global ones are used.

따라서 검색 속도를 높이고 시간 초과를 방지하려면 에서 다음 기반을 정의할 수 있습니다(아마도 정의해야 함) /etc/nslcd.conf.

base passwd CN=Users,DC=kelamayi,DC=com
base group  CN=unixGrp,DC=kelamayi,DC=com
base shadow CN=Users,DC=kelamayi,DC=com

또한보십시오:https://arthurde Jong.org/nss-pam-ldapd/setupLDAP를 사용한 PAM 설정에 대한 추가 정보

pam_unix.so업데이트(2020-03-20): PAM 및 LDAP에 대해 자세히 알아본 후 문의하기 전에 (nss 기능을 통해) 사용자를 인증하려고 시도하는 중에 문제가 발생할 수 있습니다 . pam_ldap.soPAM 구성에서는 순서가 중요하므로 pam_ldap.so아마도 이전이거나 사용자가 있어야 합니다 pam_unix.so. nss-pam-ldapd 웹 사이트에서 이 명령을 제안하는 이유를 모르겠습니다. 로 전환pam_localuser.sopam_unix.so/etc/passwdSSD아마도 그것은 좋은 생각일 것입니다.

관련 정보