Contexte
J'essaie de configurer l'authentification LDAP sur une machine Ubuntu 18.04.
étapes à reproduire
Pour ce faire, j'ai suivi les étapes suivantes :
-
apt install sssd libpam-sss libnss-sss -
créer un
/etc/sssd/sssd.confavec le contenu suivant[sssd] debug_level = 0x01E0 services = nss, pam config_file_version = 2 domains = default [nss] debug_level = 0x01E0 [pam] debug_level = 0x01E0 offline_credentials_expiration = 60 [domain/default] debug_level = 0x01E0 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=department,o=company,c=country id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://ldap.company.country ldap_default_bind_dn = cn=***,o=company,c=country ldap_default_authtok = ***** ldap_tls_reqcert = try ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=inetOrgPerson) -
s'assurer que seul root a accès au fichier de configuration :
chown root:root /etc/sssd/sssd.conf chmod 0600 /etc/sssd/sssd.conf -
redémarré le service
sudo systemctl restart sssd -
Assurez-vous que le service est correctement démarré :
sudo systemctl status sssdsssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-01-19 08:26:45 UTC; 1h 1min ago Main PID: 24043 (sssd) Tasks: 4 (limit: 2316) CGroup: /system.slice/sssd.service 24043 /usr/sbin/sssd -i --logger=files 24064 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files 24070 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files 24071 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files Jan 19 08:26:45 ubuntu1804.localdomain systemd[1]: Starting System Security Services Daemon... Jan 19 08:26:45 ubuntu1804.localdomain sssd[24043]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[be[24064]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[24070]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain sssd[24071]: Starting up Jan 19 08:26:45 ubuntu1804.localdomain systemd[1]: Started System Security Services Daemon.
étapes de dépannage
journaux
Quand je regarde les journaux, tout semble aller bien :
(Tue Jan 19 09:28:56 2021) [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Tue Jan 19 09:28:56 2021) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service default for startup
(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_default,1)
(Tue Jan 19 09:28:56 2021) [sssd] [mark_service_as_started] (0x0100): Now starting services!
(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service nss for startup
(Tue Jan 19 09:28:56 2021) [sssd] [start_service] (0x0100): Queueing service pam for startup
(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1)
(Tue Jan 19 09:28:56 2021) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1)
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [sss_dp_get_reply] (0x0100): Data Provider does not support this operation.
(Tue Jan 19 09:28:56 2021) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ldap.company.country' in files
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'resolving name'
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ldap.company.country' in files
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record o 'ldap.company.country' in DNS
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'name resolved'
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=***,o=company,c=country
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ldap.company.country' as 'working'
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.company.country' as 'working'
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
(Tue Jan 19 09:29:06 2021) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [SUDO Full Refresh]: already enabledLorsque j'essaie de me connecter avec un compte local (vagrant), l'authentification est OK :
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): user: vagrant
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.0.2.2
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 24354
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [pam_print_data] (0x0100): logon name: vagrant
(Tue Jan 19 09:39:52 2021) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Jan 19 09:39:52 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [vagrant@default] in cache
(Tue Jan 19 09:39:52 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [vagrant@default] in cachejusqu'ici, tout va bien...
Maintenant, lorsque j'essaie de me connecter avec un utilisateur ldap, j'obtiens une erreur de permission refusée :
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): user: jaep
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.0.2.2
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 24480
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [pam_print_data] (0x0100): logon name: jaep
(Tue Jan 19 09:42:27 2021) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Jan 19 09:42:27 2021) [sssd[be[default]]] [sysdb_get_real_name] (0x0040): Cannot find user [jaep@default] in cachegetent
J'ai trouvé la question suivante : Activation de l'authentification OpenLdap dans ubuntu 18.04
il suggère d'utiliser le getent passwd pour lister les comptes sur la machine. Dans mon cas, l'utilisateur vagrant apparaît :
vagrant:x:1000:1000:vagrant,,,:/home/vagrant:/bin/bashalors que mon utilisateur ldap n'apparaît pas.
il semble que le système n'essaie même pas de m'authentifier par rapport à l'annuaire LDAP.
Que me manque-t-il ? Comment puis-je obtenir l'authentification contre LDAP ?
