ldapsearch находит мою учетную запись/пользователя, sssd — нет
Я пытаюсь настроить новый сервер (Ubuntu 22.04 LTS) и аутентифицировать пользователей, используя учетные записи организации.
Это общедоступная документация:https://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth .
При выполнении ldapsearch, как указано в разделе «Устранение неполадок», я могу найти своего пользователя в формате abc12345 и все доступные данные.
ldapsearch \
-A
-H 'ldaps://adldap.hs-regensburg.de' \
-b 'DC=hs-regensburg,DC=de' \
-D 'abc12345@hs-regensburg.de' \
-W -z 0 -LLL -E pr=1000/noprompt sAMAccountName=abc12345
Вывод --> Приложение 1
Однако при выполненииgetent passwd abc12345я не получаю никаких выходных данных и файлов журналов в Приложении 2-3. Я бы сказал, что ldap просто не находит заданное имя пользователяabc12345.
Вот мойsssd.conf:
[sssd]
config_file_version = 2
domains = hs-regensburg.de
[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de
ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = abc12345@hs-regensburg.de
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword
cache_credentials = false
- Какие изменения мне нужно внести в мой sssd.conf, чтобы sssd также находил моих пользователей, как это делает ldapsearch?
- Что такое sAMAccountName/samAccountName?
- Какая польза будет, если я настрою свою аутентификацию следующим образом: https://ubuntu.com/server/docs/service-sssd-ldap-krb
- Достаточно ли предоставленной документации для установки такой системы?
Я благодарен за любую помощь. Если вам нужна дополнительная информация от меня, я буду рад предоставить все, что вам нужно.
Приложение 1
Enter LDAP Password:
dn: CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
objectClass:
cn:
sn:
c:
l:
st:
title:
postalCode:
givenName:
distinguishedName:
instanceType:
whenCreated:
whenChanged:
displayName:
uSNCreated:
memberOf:
uSNChanged:
department:
proxyAddresses:
streetAddress:
name:
objectGUID:
userAccountControl:
badPwdCount:
codePage:
countryCode:
homeDirectory:
homeDrive:
badPasswordTime:
lastLogoff:
lastLogon:
pwdLastSet:
primaryGroupID:
profilePath:
objectSid:
accountExpires:
logonCount:
sAMAccountName:
sAMAccountType:
showInAddressBook:
legacyExchangeDN:
userPrincipalName:
objectCategory:
dSCorePropagationData:
lastLogonTimestamp:
uid:
mail:
uidNumber:
gidNumber:
unixHomeDirectory:
loginShell:
mDBUseDefaults:
msExchWhenMailboxCreated:
extensionAttribute9:
msExchUMDtmfMap:
msExchMailboxSecurityDescriptor:
hsrInternalMail:
msExchArchiveWarnQuota:
msExchHomeServerName:
msExchTextMessagingState:
msExchPoliciesExcluded:
msExchDumpsterQuota:
msExchRBACPolicyLink:
msExchUserAccountControl:
msExchMobileMailboxFlags:
msExchArchiveQuota:
msExchDumpsterWarningQuota:
mailNickname:
msExchUserCulture:
msExchVersion:
msExchELCMailboxFlags:
homeMDB:
msExchMailboxGuid:
msExchRecipientTypeDetails:
msExchRecipientDisplayType:
msExchCalendarLoggingQuota:
# refldaps://hs-regensburg.de/CN=Configuration,DC=hs-regensburg,DC=de
# pagedresults: cookie=
Приложение 2 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep --color 'abc12345\|$'
(2022-08-24 2:02:44): [nss] [accept_fd_handler] (0x0400): [CID#6] Client [cmd getent][uid 1001][0x55e3a007a380][21] connected!
(2022-08-24 2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Received client version [1].
(2022-08-24 2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Offered version [1].
(2022-08-24 2:02:44): [nss] [nss_getby_name] (0x0400): [CID#6] Input name: abc12345
(2022-08-24 2:02:44): [nss] [cache_req_send] (0x0400): [CID#6] CR #7: REQ_TRACE: New request [CID #6] 'User by name'
(2022-08-24 2:02:44): [nss] [cache_req_process_input] (0x0400): [CID#6] CR #7: Parsing input name [abc12345]
(2022-08-24 2:02:44): [nss] [sss_parse_name_for_domains] (0x0200): [CID#6] name 'abc12345' matched without domain, user is abc12345
(2022-08-24 2:02:44): [nss] [nss_get_object_send] (0x0400): [CID#6] Client [0x55e3a007a380][21]: sent cache request #7
(2022-08-24 2:02:44): [nss] [cache_req_set_name] (0x0400): [CID#6] CR #7: Setting name [abc12345]
(2022-08-24 2:02:44): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #7: Performing a multi-domain search
(2022-08-24 2:02:44): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #7: Search will check the cache and check the data provider
(2022-08-24 2:02:44): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #7: Using domain [hs-regensburg.de]
(2022-08-24 2:02:44): [nss] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #7: Preparing input data for domain [hs-regensburg.de] rules
(2022-08-24 2:02:44): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #7: Looking up abc12345@hs-regensburg.de
(2022-08-24 2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24 2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: [abc12345@hs-regensburg.de] does not exist (negative cache)
(2022-08-24 2:02:44): [nss] [cache_req_process_result] (0x0400): [CID#6] CR #7: Finished: Not found
(2022-08-24 2:02:44): [nss] [client_recv] (0x0200): [CID#6] Client disconnected!
Приложение 3 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep abc12345
(2022-08-24 2:05:41): [nss] [nss_getby_name] (0x0400): [CID#7] Input name: abc12345
(2022-08-24 2:05:41): [nss] [cache_req_process_input] (0x0400): [CID#7] CR #8: Parsing input name [abc12345]
(2022-08-24 2:05:41): [nss] [sss_parse_name_for_domains] (0x0200): [CID#7] name 'abc12345' matched without domain, user is abc12345
(2022-08-24 2:05:41): [nss] [cache_req_set_name] (0x0400): [CID#7] CR #8: Setting name [abc12345]
(2022-08-24 2:05:41): [nss] [cache_req_search_send] (0x0400): [CID#7] CR #8: Looking up abc12345@hs-regensburg.de
(2022-08-24 2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24 2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: [abc12345@hs-regensburg.de] is not present in negative cache
(2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24 2:05:41): [nss] [cache_req_search_dp] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in data provider
(2022-08-24 2:05:41): [nss] [sss_dp_get_account_send] (0x0400): [CID#7] Creating request for [hs-regensburg.de][0x1][BE_REQ_USER][name=abc12345@hs-regensburg.de:-]
(2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24 2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24 2:05:41): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#7] CR #8: Adding [abc12345@hs-regensburg.de] to negative cache
(2022-08-24 2:05:41): [nss] [sss_ncache_set_str] (0x0400): [CID#7] Adding [NCE/USER/hs-regensburg.de/abc12345@hs-regensburg.de] to negative cache