Authentication 使用ldap、pam ccreds和nss_updatedb进行离线身份验证
我已经使用以下配置设置了一台具有ldap身份验证的linux机器(debian 6.0.7): /etc/nsswitch.confAuthentication 使用ldap、pam ccreds和nss_updatedb进行离线身份验证,authentication,ldap,debian,pam,Authentication,Ldap,Debian,Pam,我已经使用以下配置设置了一台具有ldap身份验证的linux机器(debian 6.0.7): /etc/nsswitch.conf passwd: compat ldap [NOTFOUND=return UNAVAIL=continue] db group: compat ldap [NOTFOUND=return UNAVAIL=continue] db shadow: compat ldap /etc/pam.d/common-acco
passwd: compat ldap [NOTFOUND=return UNAVAIL=continue] db
group: compat ldap [NOTFOUND=return UNAVAIL=continue] db
shadow: compat ldap
/etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
account [success=ok user_unknown=ignore authinfo_unavail=ignore default=ignore] pam_succeed_if.so uid < 1000 debug
account [success=done default=ignore authinfo_unavail=1] pam_ldap.so debug
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die authinfo_unavail=ignore] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_ldap.so
# end of pam-auth-update config
在公共帐户中,如果ldap服务器不可用,我必须跳转到pam_permit,否则具有缓存凭据的用户无法进行身份验证,但我认为这不是一个好主意
我还运行nss\u updatedbldap来缓存passwd和组
一切正常,即使是离线身份验证。问题是当我禁用ldap上的用户时(将shadowexpire设置为1)。当机器联机时,身份验证系统会通知帐户已禁用,但当机器脱机时,禁用的用户可以使用缓存的凭据登录。我相信这是因为影子信息没有被缓存
这是一种缓存禁用用户的影子信息的方法,这样即使在机器脱机时也无法登录吗?pam\u ccreds README说,目前不支持这种方法。您可以重置用户密码,而不是使用shadowexpire。感谢您共享您的配置!我将
/etc/pam.d/common account
从
account [user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
到
问题是,当LDAP服务器不可用时,本地用户即使拥有良好的密码也会被拒绝。success=done在pam_unix.so表示可以时终止链
account [user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
account [success=done user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so