Authentication 使用ldap、pam ccreds和nss_updatedb进行离线身份验证_Authentication_Ldap_Debian_Pam

Authentication 使用ldap、pam ccreds和nss_updatedb进行离线身份验证

authentication ldap debian

Authentication 使用ldap、pam ccreds和nss_updatedb进行离线身份验证,authentication,ldap,debian,pam,Authentication,Ldap,Debian,Pam,我已经使用以下配置设置了一台具有ldap身份验证的linux机器（debian 6.0.7）： /etc/nsswitch.conf passwd: compat ldap [NOTFOUND=return UNAVAIL=continue] db group: compat ldap [NOTFOUND=return UNAVAIL=continue] db shadow: compat ldap /etc/pam.d/common-acco

我已经使用以下配置设置了一台具有ldap身份验证的linux机器（debian 6.0.7）：

/etc/nsswitch.conf

passwd:         compat ldap [NOTFOUND=return UNAVAIL=continue] db
group:          compat ldap [NOTFOUND=return UNAVAIL=continue] db
shadow:         compat ldap

/etc/pam.d/common-account

# here are the per-package modules (the "Primary" block)
account [user_unknown=ignore authinfo_unavail=ignore default=ok]        pam_unix.so
account [success=ok user_unknown=ignore authinfo_unavail=ignore default=ignore] pam_succeed_if.so uid < 1000 debug
account [success=done default=ignore authinfo_unavail=1]     pam_ldap.so debug
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

/etc/pam.d/common-password

# here are the per-package modules (the "Primary" block)
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die authinfo_unavail=ignore]     pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
# end of pam-auth-update config

/etc/pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
session optional        pam_ldap.so
# end of pam-auth-update config

在公共帐户中，如果ldap服务器不可用，我必须跳转到pam_permit，否则具有缓存凭据的用户无法进行身份验证，但我认为这不是一个好主意

我还运行nss\u updatedbldap来缓存passwd和组

一切正常，即使是离线身份验证。问题是当我禁用ldap上的用户时（将shadowexpire设置为1）。当机器联机时，身份验证系统会通知帐户已禁用，但当机器脱机时，禁用的用户可以使用缓存的凭据登录。我相信这是因为影子信息没有被缓存

这是一种缓存禁用用户的影子信息的方法，这样即使在机器脱机时也无法登录吗？

pam\u ccreds README说，目前不支持这种方法。您可以重置用户密码，而不是使用shadowexpire。

感谢您共享您的配置！我将

/etc/pam.d/common account

从

account [user_unknown=ignore authinfo_unavail=ignore default=ok]        pam_unix.so

到

问题是，当LDAP服务器不可用时，本地用户即使拥有良好的密码也会被拒绝。success=done在pam_unix.so表示可以时终止链

account [user_unknown=ignore authinfo_unavail=ignore default=ok]        pam_unix.so

account [success=done user_unknown=ignore authinfo_unavail=ignore default=ok]        pam_unix.so