Fatal编程技术网
  • active-directory/
  • Active directory SSSD-基于LDAP组的访问-LDAP模式rfc2307bis

Active directory SSSD-基于LDAP组的访问-LDAP模式rfc2307bis

active-directory ldap

Active directory SSSD-基于LDAP组的访问-LDAP模式rfc2307bis,active-directory,ldap,sssd,Active Directory,Ldap,Sssd,在SSSD中设置access\u provider=ldap时遇到问题。问题在于ldap\u访问\u筛选器 LDAP端如下所示: 用户: 组: # allowed-group, groups, location, dc1.dc2 dn: cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc2 cn: allowed-group objectClass: top objectClass: groupOfUniqueNames objectClass:

在SSSD中设置access\u provider=ldap时遇到问题。问题在于ldap\u访问\u筛选器

LDAP端如下所示: 用户:

组:

# allowed-group, groups, location, dc1.dc2
dn: cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc2
cn: allowed-group
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
gidNumber: 2140
description: Group description
uniqueMember: uid=username,ou=users,l=location,dc=dc1,dc=dc2
我已尝试设置ldap\u access\u filter=uniqueMember=cn=allowed group,但它将始终拒绝访问,并显示以下消息:

(Tue Dec  5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=username)(objectclass=posixAccount)(uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1))][uid=username,ou=users,l=location,dc=dc1,dc=dc2].
(Tue Dec  5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [username@ldap] was not found with the specified filter. Denying access.
sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,nagios
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldap://uri
ldap_schema = rfc2307bis
ldap_search_base = l=location,dc=dc1,dc=dc2
ldap_group_object_class = groupOfUniqueNames
ldap_group_member = uniqueMember
ldap_access_order = filter, expire
ldap_account_expire_policy = shadow
ldap_access_filter = uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
cache_credentials = true
enumerate = true
debug_level = 8
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/pki/tls/cacert.pem
是否有人能够指出如何为该ldap架构创建正确的ldap访问筛选器?

您需要sssd查看用户的属性,而不是组的用户列表,例如

ldap_access_filter = memberOf=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
要将memberOf属性添加到用户记录中,您需要使用memberOf overlay(假设您的LDAP服务器正在运行OpenLDAP)。

或者,对于基于组的访问控制,您可以使用access\u provider=simple,然后列出允许的组。

谢谢,我使用的是389 DS-我启用了memberOf插件,它根据组中的uniqueMembers自动填充所有用户的memberOf属性。不起作用。以前使用过,但必须使用ldap提供程序来防止帐户过期时无密码登录(通过shadowExpire) 
ldap_access_filter = memberOf=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1