vsftpd+openldap+pam實現統一認證的問題?在線等~~
由於公司要做一個openldap統一認證資料庫.qmail+ssh+samba+system+ftp(未通過)。只查ftp沒有通過,先把配置文件和相關測試參數發給大家:
system: centos
ftp version: vsftp
ldap version: openldap
vsftpd.conf的配置內容:
----------------------------------
# grep -v "#" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pasv_min_port=5000
pasv_max_port=5100
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
---------------------------------------------------
vsftpd的pam模塊內容:
# more /etc/pam.d/vsftpd
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_ldap.so
session sufficient /lib/security/pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
----------------------------------------------------------
/etc/ldap.conf文件的配置內容:
# grep -v "#" ldap.conf|uniq|sort -r
tls_cacertdir /etc/openldap/cacerts
ssl no
port 389
pam_password md5
pam_password exop
pam_password crypt
host 192.168.2.229
bindpw ftp123
binddn cn=ftpadmin,o=sinotest
base o=sinotest
-----------------------------------------------------------
192.168.2.229的openldap sever的配置內容:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/qmailUser.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "o=sinotest"
rootdn "cn=admin,o=sinotest"
rootpw sinotest
directory /var/lib/ldap
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
----------------------------------------------------------------------
做如下實驗:
1.在本機器上測試,能否ldapsearch到192。168。2。229的數據
答案:一切正常。
2。# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): test2
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.\
看log
Jul 17 11:24:26 rd vsftpd(pam_unix): check pass; user unknown
Jul 17 11:24:26 rd vsftpd(pam_unix): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.1.20
Jul 17 13:08:11 rd vsftpd(pam_unix): check pass; user unknown
Jul 17 13:08:11 rd vsftpd(pam_unix): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1
看似提示,找不到LDAP里的用戶,鬱悶啊
請各位老師幫忙解答一下,是什麼問題。已經鬱悶很久了。
《解決方案》
Jul 17 11:24:26 rd vsftpd(pam_unix): check pass; user unknown
看上去是pam_unix.so的輸出,不像是pam_ldap.so的輸出
pam文件能否改成這樣試試:
auth required /lib/security/pam_ldap.so use_first_pass
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
《解決方案》
恩,required是必須條件,不符合就退出,而sufficient只是順序檢查,如果有一個符合,就會忽略後面的所有flags.
改了以後似乎有點效果,提示不能bind到LDAP server,似乎很重要
Jul 17 16:07:07 rd vsftpd: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jul 17 16:07:07 rd vsftpd(pam_unix): check pass; user unknown
Jul 17 16:07:07 rd vsftpd(pam_unix): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1
《解決方案》
pam文件那樣改就是為了簡化一下,定位原因。
pam_ldap: ldap_simple_bind Can't contact LDAP server
連接ldap server有問題。pam_ldap怎麼連接server的,沒弄過ldap,不太清楚。
《解決方案》
sorry,剛才是我們的VPN斷了,所以無法bind到伺服器。嘿嘿!
ldapsearch -x -b 'o=sinotest' -D "cn=admin,o=sinotest" -W -h 192.168.2.229
可以找到數據,也就是bind是不會有問題的。
ftp localhost以後看日誌
日誌內容:
-------------------------------------------
Jul 17 16:42:42 rd vsftpd: vsftpd 關閉 succeeded
Jul 17 16:42:42 rd vsftpd: vsftpd vsftpd succeeded
Jul 17 16:42:53 rd vsftpd(pam_unix): check pass; user unknown
Jul 17 16:42:53 rd vsftpd(pam_unix): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1
《解決方案》
繼續期待各位!
《解決方案》
回復 #6 webyuhang 的帖子
這個log信息是哪個文件里的信息噢,誰能指點一下,謝謝!