SSH通过PAM进行OpenLDAP认证

两种部署方式

• libnss-ldapd + libpam-ldapd
• libnss-ldap + libpam-ldap

libnss-ldapd + libpam-ldapd(nslcd)

下载libnss-ldapd libpam-ldapd 及依赖 nslcd

root@jpvps:/var/cache/apt/archives# apt -d install libnss-ldapd
root@jpvps:/var/cache/apt/archives# apt -d  install libpam-ldapd

解压deb包查看每个包主要做了什么

例如:
dpkg -X libnss-ldapd_0.9.9-1_amd64.deb libnss 内容
dpkg -e libnss-ldapd_0.9.9-1_amd64.deb libnss/DEBIAN 控制信息

libnss-ldapd

• /etc/nsswitch.conf 增加ldap配置
• /lib/x86_64-linux-gnu/libnss_ldap.so.2

libpam-ldapd

• 基于/usr/share/pam-configs/ldap, /etc/pam.d/增加ldap相关配置
• /lib/x86_64-linux-gnu/security/pam_ldap.so

nslcd

• nslcd 守护进程
• /etc/nslcd.conf 按实际配置即可

相关deb包安装并配置后进行测试

root@jpvps:/etc/pam.d# su - tom
No directory, logging in with HOME=/
groups: cannot find name for group ID 20002
tom@jpvps:/$

自动创建家目录pam_mkhomedir.so
/etc/pam.d/common-session 增加

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

再次测试

root@jpvps:/etc/pam.d# su - tom
Creating directory '/home/tom'.
groups: cannot find name for group ID 20002
tom@jpvps:~$ ls /home/
tom

/etc/pam.d/ 配置变动

PS: nslcd自带pam模块, 不用ldap.conf配置; /etc/pam.d/相关配置其实未实际起作用

libnss_ldap + libpam_ldap

下载libnss-ldap libpam-ldap 及依赖

下载后可以看到5个deb包

root@jpvps:/var/cache/apt/archives# apt -d install libpam-ldap
root@jpvps:/var/cache/apt/archives# apt -d install libnss-ldap

同样解压分别看看每个deb包做了什么
libnss-ldap
libpam-ldap
ldap-auth-client
ldap-auth-config
aut-client

/etc/pam.d/ 变更

config=/etc/ldap.conf为手工编辑添加

diff --git a/common-account b/common-account
index 316b173..95537e3 100644
--- a/common-account
+++ b/common-account
@@ -14,7 +14,8 @@
 #

 # here are the per-package modules (the "Primary" block)
-account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
+account        [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
+account        [success=1 default=ignore]      pam_ldap.so
 # here's the fallback if no module succeeds
 account        requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/common-auth b/common-auth
index fcaf1b3..1b89c9b 100644
--- a/common-auth
+++ b/common-auth
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.

 # here are the per-package modules (the "Primary" block)
-auth   [success=1 default=ignore]      pam_unix.so nullok_secure
+auth   [success=2 default=ignore]      pam_unix.so nullok_secure
+auth   [success=1 default=ignore]      pam_ldap.so use_first_pass config=/etc/ldap.conf
 # here's the fallback if no module succeeds
 auth   requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/common-password b/common-password
index 817f472..5f3388c 100644
--- a/common-password
+++ b/common-password
@@ -23,7 +23,8 @@

 # here are the per-package modules (the "Primary" block)
 password       requisite                       pam_cracklib.so retry=3 minlen=8 difok=3 dictpath=/usr/share/dict/common enforce_for_root
-password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
+password       [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
+password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
 # here's the fallback if no module succeeds
 password       requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/common-session b/common-session
index eb99df2..b4aac56 100644
--- a/common-session
+++ b/common-session
@@ -27,5 +27,6 @@ session       required                        pam_permit.so
 session optional                       pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 session        required        pam_unix.so
+session        optional                        pam_ldap.so
 session        optional        pam_systemd.so
 # end of pam-auth-update config
diff --git a/common-session-noninteractive b/common-session-noninteractive
index 1fee2c4..d125848 100644
--- a/common-session-noninteractive
+++ b/common-session-noninteractive
@@ -27,4 +27,5 @@ session       required                        pam_permit.so
 session optional                       pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 session        required        pam_unix.so
+session        optional                        pam_ldap.so
 # end of pam-auth-update config

/etc/ldap.conf 内容

root@jpvps:/etc/pam.d# cat /etc/ldap.conf
uri ldapi:///127.0.0.1
ldap_version 3
base dc=intra,dc=test,dc=com
pam_login_attribute uid

nss_base_passwd ou=People,dc=intra,dc=test,dc=com?one
nss_base_shadow ou=People,dc=intra,dc=test,dc=com?one
nss_base_group  ou=Group,dc=intra,dc=test,dc=com?one
nss_initgroups_ignoreusers _apt,backup,bin,daemon,dnsmasq,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,news,nslcd,openldap,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-network,systemd-resolve,uucp,uuidd,www-data

其中nss_initgroups_ignoreusers ...为/etc/init.d/libnss-ldap更新

/etc/nsswitch.conf 变更

passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap