nss_ldap 無法綁定到 LDAP 伺服器

tag-icon tag-icon ldap pam ubuntu-20.04 pam-ldap
nss_ldap 無法綁定到 LDAP 伺服器

我已經使用 nss_ldap 配置了 ldap 客戶端(ubuntu 20.04)以連接 ldap 伺服器並接受特定群組中的用戶,似乎一切正常,客戶端可以存取 ldap 伺服器,ldap 用戶可以存取客戶端電腦。但是,當客戶端連接到 LDAP 伺服器時,我收到以下錯誤訊息:

systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable

這是我的設定檔:

/etc/ldap.conf 關於該參數(nss_initgroups_ignoreusers)是自動產生的。

# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data

/etc/ldap.secret--> 包含密碼。

/etc/nsswitch.conf

passwd:         files ldap systemd
group:          files ldap systemd
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
session required    pam_mkhomedir.so skel=/etc/skel umask=0022

/etc/security/access.conf

added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]

/etc/pam.d/sshd--> 取消註解以下行:

 account  required     pam_access.so

注意:我還使用 ldapsearch 測試了連接,它可以工作。

我嘗試更改 nsswitch.conf 檔案或再次重新安裝 nss_ldap 用戶端,但在一切正常的情況下我仍然收到相同的錯誤。

相關內容