Skip to content

Commit

Permalink
Auto deploy from GitHub Actions build 492
Browse files Browse the repository at this point in the history
[d7a5dd6] taoky: ldap: Add sssd apparmor patch
  • Loading branch information
web-flow authored Dec 26, 2024
1 parent 0dc654d commit 5e956bc
Show file tree
Hide file tree
Showing 4 changed files with 85 additions and 79 deletions.
22 changes: 14 additions & 8 deletions infrastructure/ldap/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -2930,7 +2930,7 @@ <h3 id="debian">Debian 配置方法<a class="headerlink" href="#debian" title="P
<p>Ref: <a href="https://packages.debian.org/trixie/sudo-ldap">https://packages.debian.org/trixie/sudo-ldap</a></p>
</div>
<h4 id="_3">软件包安装<a class="headerlink" href="#_3" title="Permanent link">&para;</a></h4>
<p>Debian 7 以上系统安装 <code>libnss-ldapd</code><code>libpam-ldapd</code><code>sssd-ldap</code><code>libsss-sudo</code></p>
<p>Debian 系统安装 <code>libnss-ldapd</code><code>libpam-ldapd</code><code>sssd-ldap</code><code>libsss-sudo</code></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>更新这些软件包时,注意保留一个 root 终端,更新后可能需要重启 daemon 进程。</p>
Expand Down Expand Up @@ -2993,7 +2993,6 @@ <h4 id="pam">PAM 配置<a class="headerlink" href="#pam" title="Permanent link">
<p>对于 Debian 7+,只需设置一处。为了登录时自动创建家目录,在 <code>/etc/pam.d/common-session</code> 中添加下面这句:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>session<span class="w"> </span>required<span class="w"> </span>pam_mkhomedir.so<span class="w"> </span><span class="nv">skel</span><span class="o">=</span>/etc/skel<span class="w"> </span><span class="nv">umask</span><span class="o">=</span><span class="m">0022</span>
</code></pre></div>
<p>对于 Debian 5,请查阅本文档的 Git 记录。</p>
<h4 id="sssd">SSSD 配置<a class="headerlink" href="#sssd" title="Permanent link">&para;</a></h4>
<p>由于 <code>sudo-ldap</code> 未来被废弃,sudo 的配置通过 sssd 实现,参考 <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html</a></p>
<p><code>/usr/share/doc/sssd-common/examples/sssd-example.conf</code> 复制到 <code>/etc/sssd/sssd.conf</code> 并修改权限为 600。</p>
Expand Down Expand Up @@ -3033,28 +3032,35 @@ <h4 id="sssd">SSSD 配置<a class="headerlink" href="#sssd" title="Permanent lin
<p class="admonition-title"></p>
<p>需要加上 <code>[sudo]</code>,否则 sudo 配置不会生效,这个配置问题导致了修改前在 gateway-nic 上用户无法使用 sudo。</p>
</div>
<div class="admonition warning">
<p class="admonition-title">Apparmor</p>
<p>目前 Debian 打包中的 SSSD 存在一个小 bug,会导致在有 Apparmor 的系统上 kernel log 刷满 dmesg。解决方法是在 <code>/etc/apparmor.d/usr.sbin.sssd</code> 中,<code>@{PROC} r,</code> 后面加一行:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>@{PROC}/[0-9]*/cmdline r,
</code></pre></div>
<p>然后 <code>sudo systemctl reload apparmor</code></p>
</div>
<p>另外记得像前面在 Debian 中安装介绍到的那样修改 <code>/etc/nsswitch.conf</code> 以及 <code>/etc/nslcd.conf</code>.</p>
<h3 id="nscd">NSCD 使用说明<a class="headerlink" href="#nscd" title="Permanent link">&para;</a></h3>
<p>在 SSSD 未安装的情况下,NSCD 会提供 LDAP 缓存服务。如果在使用 NSCD 的机器上需要清空 LDAP 缓存,执行以下命令:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>nscd<span class="w"> </span>-i<span class="w"> </span>passwd
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a>nscd<span class="w"> </span>-i<span class="w"> </span>group
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>nscd<span class="w"> </span>-i<span class="w"> </span>passwd
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a>nscd<span class="w"> </span>-i<span class="w"> </span>group
</code></pre></div>
<p>如果 SSSD 安装,<code>systemctl status sssd</code> 会显示 SSSD 与 NSCD 同时提供了相关缓存,可能存在冲突问题:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a>NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].
</code></pre></div>
<p>需要修改 <code>/etc/nscd.conf</code>,将提及的 <code>passwd</code>, <code>group</code>, <code>netgroup</code><code>services</code><code>enable-cache</code> 设置为 <code>no</code></p>
<h2 id="ldap-cli">LDAP CLI 工具使用说明<a class="headerlink" href="#ldap-cli" title="Permanent link">&para;</a></h2>
<p>这里以 <code>ldappasswd</code> 为例,其余 ldap 系列指令与其大致相同:</p>
<p>LDAP 利用 dn 来定位一个用户,以下指令可以列出所有用户及其 dn:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a>ldapsearch<span class="w"> </span>-x<span class="w"> </span>-LLL<span class="w"> </span><span class="nv">uid</span><span class="o">=</span>*<span class="w"> </span>uid
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a>ldapsearch<span class="w"> </span>-x<span class="w"> </span>-LLL<span class="w"> </span><span class="nv">uid</span><span class="o">=</span>*<span class="w"> </span>uid
</code></pre></div>
<p><code>-x</code> 指定使用 Simple authentication,即使用密码认证。</p>
<p>如果要修改一个用户的密码,使用:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a>ldappasswd<span class="w"> </span>-x<span class="w"> </span>-D<span class="w"> </span><span class="s1">&#39;&lt;executor dn&gt;&#39;</span><span class="w"> </span>-W<span class="w"> </span>-S<span class="w"> </span><span class="s1">&#39;&lt;target user dn&gt;&#39;</span>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>ldappasswd<span class="w"> </span>-x<span class="w"> </span>-D<span class="w"> </span><span class="s1">&#39;&lt;executor dn&gt;&#39;</span><span class="w"> </span>-W<span class="w"> </span>-S<span class="w"> </span><span class="s1">&#39;&lt;target user dn&gt;&#39;</span>
</code></pre></div>
<p><code>-D '&lt;executor dn&gt;'</code> 指定了执行者的身份,<code>-W</code>/<code>-S</code> 指定了接下来询问执行者/目标用户的密码/旧密码。</p>
<p>需要额外注意的是,在 CLI 中添加/删除用户或更改用户密码时需要以 LDAP admin 执行,否则会有报错:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>Insufficient access (50) additional info: no write access to parent
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a>Insufficient access (50) additional info: no write access to parent
</code></pre></div>
<p>或是其他的权限不足的错误。</p>
<h2 id="_4">部署情况<a class="headerlink" href="#_4" title="Permanent link">&para;</a></h2>
Expand Down
2 changes: 1 addition & 1 deletion search/search_index.json

Large diffs are not rendered by default.

Loading

0 comments on commit 5e956bc

Please sign in to comment.