Stay hungry,Stay foolish

0%

SSH通过PAM进行OpenLDAP认证

两种部署方式

  • libnss-ldapd + libpam-ldapd
  • libnss-ldap + libpam-ldap

libnss-ldapd + libpam-ldapd(nslcd)

下载libnss-ldapd libpam-ldapd 及依赖 nslcd

1
2
root@jpvps:/var/cache/apt/archives# apt -d install libnss-ldapd
root@jpvps:/var/cache/apt/archives# apt -d install libpam-ldapd

解压deb包查看每个包主要做了什么

例如:
dpkg -X libnss-ldapd_0.9.9-1_amd64.deb libnss 内容
dpkg -e libnss-ldapd_0.9.9-1_amd64.deb libnss/DEBIAN 控制信息

libnss-ldapd

  • /etc/nsswitch.conf 增加ldap配置
  • /lib/x86_64-linux-gnu/libnss_ldap.so.2

libpam-ldapd

  • 基于/usr/share/pam-configs/ldap, /etc/pam.d/增加ldap相关配置
  • /lib/x86_64-linux-gnu/security/pam_ldap.so

nslcd

  • nslcd 守护进程
  • /etc/nslcd.conf 按实际配置即可

相关deb包安装并配置后进行测试

1
2
3
4
root@jpvps:/etc/pam.d# su - tom
No directory, logging in with HOME=/
groups: cannot find name for group ID 20002
tom@jpvps:/$

自动创建家目录pam_mkhomedir.so
/etc/pam.d/common-session 增加

1
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

再次测试

1
2
3
4
5
root@jpvps:/etc/pam.d# su - tom
Creating directory '/home/tom'.
groups: cannot find name for group ID 20002
tom@jpvps:~$ ls /home/
tom

/etc/pam.d/ 配置变动

PS: nslcd自带pam模块, 不用ldap.conf配置; /etc/pam.d/相关配置其实未实际起作用

libnss_ldap + libpam_ldap

下载libnss-ldap libpam-ldap 及依赖

下载后可以看到5个deb包

1
2
root@jpvps:/var/cache/apt/archives# apt -d install libpam-ldap
root@jpvps:/var/cache/apt/archives# apt -d install libnss-ldap

同样解压分别看看每个deb包做了什么
libnss-ldap
libpam-ldap
ldap-auth-client
ldap-auth-config
aut-client

/etc/pam.d/ 变更

config=/etc/ldap.conf为手工编辑添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
diff --git a/common-account b/common-account
index 316b173..95537e3 100644
--- a/common-account
+++ b/common-account
@@ -14,7 +14,8 @@
#

# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
+account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
+account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
diff --git a/common-auth b/common-auth
index fcaf1b3..1b89c9b 100644
--- a/common-auth
+++ b/common-auth
@@ -14,7 +14,8 @@
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
-auth [success=1 default=ignore] pam_unix.so nullok_secure
+auth [success=2 default=ignore] pam_unix.so nullok_secure
+auth [success=1 default=ignore] pam_ldap.so use_first_pass config=/etc/ldap.conf
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
diff --git a/common-password b/common-password
index 817f472..5f3388c 100644
--- a/common-password
+++ b/common-password
@@ -23,7 +23,8 @@

# here are the per-package modules (the "Primary" block)
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 dictpath=/usr/share/dict/common enforce_for_root
-password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
+password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
+password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
diff --git a/common-session b/common-session
index eb99df2..b4aac56 100644
--- a/common-session
+++ b/common-session
@@ -27,5 +27,6 @@ session required pam_permit.so
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
+session optional pam_ldap.so
session optional pam_systemd.so
# end of pam-auth-update config
diff --git a/common-session-noninteractive b/common-session-noninteractive
index 1fee2c4..d125848 100644
--- a/common-session-noninteractive
+++ b/common-session-noninteractive
@@ -27,4 +27,5 @@ session required pam_permit.so
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
+session optional pam_ldap.so
# end of pam-auth-update config

/etc/ldap.conf 内容

1
2
3
4
5
6
7
8
9
10
root@jpvps:/etc/pam.d# cat /etc/ldap.conf
uri ldapi:///127.0.0.1
ldap_version 3
base dc=intra,dc=test,dc=com
pam_login_attribute uid

nss_base_passwd ou=People,dc=intra,dc=test,dc=com?one
nss_base_shadow ou=People,dc=intra,dc=test,dc=com?one
nss_base_group ou=Group,dc=intra,dc=test,dc=com?one
nss_initgroups_ignoreusers _apt,backup,bin,daemon,dnsmasq,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,news,nslcd,openldap,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-network,systemd-resolve,uucp,uuidd,www-data

其中nss_initgroups_ignoreusers ...为/etc/init.d/libnss-ldap更新

/etc/nsswitch.conf 变更

1
2
3
passwd:         compat systemd ldap
group: compat systemd ldap
shadow: compat ldap