Вы находитесь на странице: 1из 55

1

LDAP --.

LDAP --.
, alekseybb@mail.ru ,
2004.01.11 1
2004.07.16 2
2- :
3 3
8 . -
,

.
,
LDAP Linux,
LDAP.
.
LDAP,
. ,
,
, .
.
, - .
,
. ,
SuSE NSS LDAP PAM LDAP

PADL Software Pty Ltd
LDAP. , .

,
, .
Open Source , ,
.
, ,

. , , -

*.orig . , ,
. , ,
.
http://www.barabanov.ru
arts/LDAPremarks-draft-2.pdf.
!
GNU (GNU General Public License) GNU
GPL.

LDAP --.

1. ............................................................................................................................................3
1.1. ...............................................................................................................................3
1.2. LDAP..............................................................................................4
2. NSS...............................................................................................................................................7
2.1. NSS LDAP..........................................................................................................................7
2.2. ........................................................................................8
2.3. ...........................................................................................................12
2.4. NSS LDAP..........................................................................................................................13
2.5. NSS LDAP..............................................................................................17
3. PAM.............................................................................................................................................22
3.1. PAM LDAP........................................................................................................22
3.2. PAM LDAP.............................................................................................25
3.3. pam_unix2.........................................................................................................................26
3.4. pam_unix2...........................................................................................................................27
3.5. pam_ldap...........................................................................................................................30
3.6. pam_ldap.............................................................................................................................32
3.7. passwd pam_unix2.........................................................................................................33
3.8. passwd pam_unix2..........................................................................................................38
3.9. passwd pam_ldap............................................................................................................40
3.10. passwd pam_ldap...........................................................................................................43
3.11. PAM?...................................................................................................................................44
A. .................................................................................................................47
.1. root- LDAP.........................................................47
.2. ldapbrowser............................................................47
A.3. LDAP...........................................................................................................47
A.4. LDAP........................................................................................................48
.5. LDAP..........................................................................................................48
.6. NSS............................................................................................................................48
A.7.- PAM su..................................................................................................49
. , , .............................................................................................50
. SuSE pam-0.77.............................................................................................52
.1. ......................................................................................52
.2. .......................................................................................53
.3. ...........................................................................................................54

LDAP --.

1. .
1.1. .
. ,
. ,
,
Linux. , LDAP
, DN
(Distinguished Name) , - ,
.
. , ,
SuSE Linux v.9.0,
, ,
, . ,
SuSE v.9.0.
, 192.168.0.0/24. ,
192.168.0.1. office.localnet .
(FQDN) server.office.localnet .
.
LDAP .
, dc=office, dc=localnet,
domain_component=office, domain_component=localnet.
,
LDAP rootdn, root distinguished name,
LDAP, .
LDAP LDAP .
. ,
,
, , rootdn,

LDAP,
. , rootdn
LDAP . DN
cn=ldapadmin, dc=office, dc=localnet.
.
. .
LDAP
LDAP
LDAP-. , ldapbrowser,
, LDAP.
(proxyuser).
,
rootdn.
, ,
.

LDAP --.

.
, .
,
, .
, .
, LDAP , ,
.
1.2. LDAP.
, LDAP .
.
.
Samba3 LDAP. .
LDAP
, ,
.
server:~ # cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/samba3.schema
pidfile
/var/run/slapd/slapd.pid
argsfile
/var/run/slapd/slapd.args
modulepath
/usr/lib/openldap/modules
replogfile
/var/lib/ldap/replica.log
database
ldbm
cachesize
40000
dbcachesize
60000000
suffix
"dc=office,dc=localnet"
rootdn
"cn=ldapadmin,dc=office,dc=localnet"
rootpw
{SSHA}K6n0nTsvOWxO1xPGBN5HoZCAsaO0wV7p
directory
/var/lib/ldap
index
objectClass
eq
index
ou,cn,sn,displayName
eq,pres,sub
index
uidNumber,gidNumber
eq
index
sambaSID
eq
index
memberUID,uid
eq,pres,sub
index
sambaPrimaryGroupSID
eq
index
sambaDomainName
eq
index
default
sub
server:~ #

rootdn secret. slapd.conf


. LDAP
, .
- . LDAP
, ,

LDAP --.


.
, Samba3.
. ,
, .
LDAP . slapd,
LDAP, slurpd, .
.
/usr/lib/openldap. ,
, /etc/openldap . LDAP
, /var/lib/ldap.
,
/var/run/slapd.
openldap2-2.1.22-65.
, SuSE v.9.0.
, -
. slackware
.
, ,
, , SuSE-
.
, ldap,
/var/run/slapd ldap.ldap .
.
server:~ # cat /etc/group | grep ^ldap:
ldap:x:70:
server:~ # cat /etc/passwd | grep ^ldap:
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
server:~ # cat /etc/shadow | grep ^ldap:
ldap:!:12097:0:99999:365:::
server:~ #

, ldap ,
.
LDAP /
etc/init.d/ldap.
, LSB, Required-Start: $local_fs. LDAP
, SQL ,
insserv Required-Start
SQL. , ,
:
server:~ # /sbin/startproc -p /var/run/slapd/slapd.pid \
$SLAPD_BIN -h "$SLAPD_URLS" \
$USER_CMD \

LDAP --.
$GROUP_CMD \
$OPENLDAP_SLAPD_PARAMS


/etc/sysconfig/openldap. ,
, ,
, :
server:~ # /sbin/startproc -p /var/run/slapd/slapd.pid \
/usr/lib/openldap/slapd -h " ldap://127.0.0.1:389/" \
-u ldap \
-g ldap

,
.
, . /etc/sysconfig/openldap
mc, ,
, YaST2.
.
, ,
. , .. ldap over IPC,
Unix domain /var/run/slapd/ldapi.
slapd , TCP
.
.
server:~ # cat /etc/sysconfig/openldap | grep -v ^# | grep -v ^$
OPENLDAP_START_LDAPS="no"
OPENLDAP_USER="ldap"
OPENLDAP_GROUP="ldap"
OPENLDAP_CHOWN_DIRS="yes"
OPENLDAP_START_LDAPI="no"
OPENLDAP_SLAPD_PARAMS=""
OPENLDAP_RUN_DB_RECOVER="no"
OPENLDAP_LDAP_INTERFACES="127.0.0.1:389"
OPENLDAP_LDAPS_INTERFACES="192.168.0.1:636"
server:~ #

.
server:~ # rcldap start
Starting ldap-server
server:~ #

done

, , ,
.
server:~ # netstat -apn | grep "LISTEN.*slapd"
tcp
0
0 127.0.0.1:389
0.0.0.0:*
server:~ #

LISTEN

1582/slapd

LDAP --.

LDAP .
2. NSS.
,
, NSS
(Name Service Switch). , ,
uid,
. , uid NSS
LDAP , uid,
, /etc/passwd,
LDAP. .
, NSS,
uid
NSS Linux.
, NSS
getpw*, getsh*, getgr*, gethost*
. NSS LDAP ,
LDAP.
NSS, ,
,
. NSS LDAP
.
2.1. NSS LDAP.
LDAP NSS nss_ldap, ,
.
server:~ # ls -l `rpm -ql nss_ldap | grep lib`
-rwxr-xr-x
1 root
root
70779 Sep 24 2003 /lib/libnss_ldap.so.2
lrwxrwxrwx
1 root
root
21 Mar 16 18:04 /
usr/lib/libnss_ldap.so -> /lib/libnss_ldap.so.2
server:~ #

ldap.conf
. , ,
.
server:~ # strings `rpm -ql nss_ldap | grep lib` | grep ldap.conf
/etc/ldap.conf
/etc/ldap.conf
server:~ #

ldap.conf LDAP LDAP


.
. , .

LDAP --.

server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$


host
127.0.0.1:389
base
dc=office,dc=localnet
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
binddn cn=ldapadmin,dc=office,dc=localnet
bindpw secret
server:~ #

LDAP, ,
, , DN
, ,
. rootdn,
LDAP.
ou=People,dc=office,dc=localnet?one.
ou=People,dc=office,dc=localnet LDAP,
. ?one,
sub ( subtree), .
NSS /etc/nsswitch.conf.
. ,
, .
server:~ # cat /etc/nsswitch.conf | grep "\(^passwd\|^shadow\|^group\)"
passwd: files ldap
shadow: files ldap
group: files ldap
server:~ #

,
LDAP. ,
NSS.
. LDAP , ,
, LDAP.
. .
2.2. .
, LDAP .
, ,
,
. , , ,
root , root LDAP,
root .
. LDAP .
server:~ # cat /etc/nsswitch.conf | grep "^\(passwd\|shadow\|group\)"

LDAP --.

passwd: ldap files


shadow: ldap files
group: ldap files
server:~ #

root.
server:~ # cat >root.ldif<<EOT
> dn: uid=root,ou=People,dc=office,dc=localnet
> uid: root
> cn: root
> sn: root
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> shadowLastChange: 12089
> shadowMax: 10000
> loginShell: /bin/bash
> uidNumber: 0
> gidNumber: 0
> homeDirectory: /root
> gecos: root
> EOT
server:~ #

lroot.
server:~ # echo "userPassword: `slappasswd -h {crypt} -s lroot`" >>root.ldif
server:~ #

, .
server:~ # cat root.ldif
dn: uid=root,ou=People,dc=office,dc=localnet
uid: root
cn: root
sn: root
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 12089
shadowMax: 10000
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
userPassword: {CRYPT}.vSlVrIfg2SZ2
server:~ #

, . root
.

10

LDAP --.

server:~ # getent passwd | grep ^root


root:x:0:0:root:/root:/bin/bash
server:~ # getent shadow | grep ^root
root:xxxxxxxxxxxxx:12089:0:10000::::
server:~ #

root LDAP.
server:~ # ldapmodify -a -v -D "cn=ldapadmin,dc=office,dc=localnet" -H
ldap://localhost -x -w secret -f root.ldif
ldap_initialize( ldap://localhost )
add uid:
root
add cn:
root
add sn:
root
add objectClass:
top
inetOrgPerson
posixAccount
shadowAccount
add shadowLastChange:
12089
add shadowMax:
10000
add loginShell:
/bin/bash
add uidNumber:
0
add gidNumber:
0
add homeDirectory:
/root
add gecos:
root
add userPassword:
{CRYPT}.vSlVrIfg2SZ2
adding new entry "uid=root,ou=People,dc=office,dc=localnet"
modify complete
server:~ #

, LDAP- .
server:~ # getent passwd | grep ^root
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
server:~ # getent shadow | grep ^root
root:.vSlVrIfg2SZ2:12089::10000::::0
root:xxxxxxxxxxxxx:12089:0:10000::::
server:~ #

! root
root- LDAP.

11

LDAP --.

alekseybb@server:~> su - root
Password:
server:~ # id
uid=0(root) gid=0(root) groups=0(root),501(cvs)
server:~ #

. ,
. .
,
LDAP, ,
LDAP /var/lib/ldap, ,
offline.
, LDAP MS Windows
. , -, ,
. , -, ,
,
.
. .
LDAP ,
,
LDAP. , ,
,
, . ,
.
server:~ # cat /etc/nsswitch.conf | grep "\(^passwd\|^shadow\|^group\)"
passwd: files ldap
shadow: files ldap
group: files ldap
server:~ #

, LDAP
. LDAP .

, .
,
. ,
, .
.
, LDAP
.
, , ,
ldap.conf nsswitch.conf, .
,
. ,
(Name
Service Cache Daemon NCSD). SuSE
.

12

LDAP --.

server:~ # rcnscd stop


Shutting down Name Service Cache Daemon
server:~ #


nscd.

done

2.3. .
, NSS
LDAP, .
, root .
,
root .
atest
, sates.
server:~ # useradd -m -p `mkpasswd satest q1` atest
server:~ # cat /etc/passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
server:~ #

uid, , 1007. ,
.
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

LDAP, ,
, latest. Samba3.
Samba3.
server:~ # /var/lib/samba/sbin/smbldap-useradd.pl -s /bin/bash atest
server:~ # /var/lib/samba/sbin/smbldap-passwd.pl atest
Changing password for atest
New password :
Retype new password :
server:~ #

, .
, .
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash

13

LDAP --.

atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ #
server:~ # getent shadow | grep atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
atest:x:::::::0
server:~ #

, uid 1002,
.
, ,
NSS LDAP
, {crypt}, Samba3 + LDAP
{ssha}. , {crypt},
shadow,
. Samba3,
,
.
server:~ # cat >change.pass.ldif<<EOT
> dn: uid=atest,ou=People,dc=office,dc=localnet
> changetype: modify
> replace: userPassword
> EOT
server:~ # echo "userPassword: `slappasswd -h {crypt} -s latest`"
>>change.pass.ldif
server:~ # cat change.pass.ldif
dn: uid=atest,ou=People,dc=office,dc=localnet
changetype: modify
replace: userPassword
userPassword: {CRYPT}HGqB6dm4QjL5Y
server:~ #
server:~ # ldapmodify -v -D "cn=ldapadmin,dc=office,dc=localnet" -H
ldap://localhost -x -w secret -f change.pass.ldif
ldap_initialize( ldap://localhost )
replace userPassword:
{CRYPT}HGqB6dm4QjL5Y
modifying entry "uid=atest,ou=People,dc=office,dc=localnet"
modify complete
server:~ #

, .
server:~ # getent shadow | grep atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

NSS
. .
2.4. NSS LDAP.

14

LDAP --.

,
alekseybb, atest su,
satest latest. su PAM
.
server:~
auth
auth
account
password
password
session
server:~

# cat /etc/pam.d/su | grep -v ^# | grep -v ^$


sufficient
pam_rootok.so
required
pam_unix2.so
nullok #set_secrpc
required
pam_unix2.so
required
pam_pwcheck.so nullok
required
pam_unix2.so
nullok use_first_pass use_authtok
required
pam_unix2.so
debug # none or trace
#

PAM su SuSE Linux.


, PAM LDAP
PAM
NSS.
2.4.1. nss 1.
.
. .
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~>


LDAP. LDAP .

LDAP , ,
LDAP .
2.4.2. nss 2.
passwd.
server:~ # cp /etc/passwd /etc/passwd.atest
server:~ # cat /etc/passwd.atest | grep -v ^atest >/etc/passwd
server:~ #
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

15

LDAP --.

.
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~>
atest@server:~> exit
logout
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~>

,
LDAP.
,
. ,
,
NSS.
2.4.3. nss 3.
shadow.
server:~ # cp /etc/shadow /etc/shadow.atest
server:~ # cat /etc/shadow.atest | grep -v ^atest >/etc/shadow
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

.
LDAP.
2.4.4. nss 4.

16

LDAP --.

passwd.
server:~ # cat /etc/passwd.atest >/etc/passwd
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

, .
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

LDAP, .
nss 3, , .
NSS .
2.4.5. nss 5.
, .
server:~ # echo "atest:*:::::::0" >>/etc/shadow
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:*:::::::0
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

.
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~>

, atest ,
, LDAP.
.

17

LDAP --.

NSS 1

NSS 2

NSS 3

NSS 4

NSS 5

passwd

shadow

pass

shadow

shadow

LDAP

LDAP

id

passwd

LDAP

LDAP

passwd

1 5

OK

-LDAP

OK

???

OK

. , NSS
LDAP,
. LDAP
. ,
,
LDAP. 1 5.
2.5. NSS LDAP.
LDAP. LDAP
rootdn.
/etc/ldap.conf .
, rootdn LDAP,
-
LDAP.
su ,
.
server:~ # cat /etc/shadow.atest | grep -v ^atest >/etc/shadow
server:~ # cat /etc/passwd.atest | grep -v ^atest >/etc/passwd
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

.
alekseybb@server:~> su - atest
Password:
su:
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

18

LDAP --.

latest,
LDAP LDAP.
LDAP . rootdn
LDAP,
, ldapbrowser
.
browser. LDAP,
{crypt} .
server:~ # cat >ldapbrowser.ldiff<<EOT
> dn: cn=ldapbrowser,dc=office,dc=localnet
> cn: ldapbrowser
> sn: ldapbrowser
> objectClass: person
> objectClass: top
> EOT
server:~ # echo "userPassword:: `slappasswd -h {ssha} -s browser`"
>>ldapbrowser.ldiff
server:~ # cat ldapbrowser.ldiff
dn: cn=ldapbrowser,dc=office,dc=localnet
cn: ldapbrowser
sn: ldapbrowser
objectClass: person
objectClass: top
userPassword:: {SSHA}stfV4nrgwlBg3K4dReyUFo8KSAHqOjNo
server:~ # ldapmodify -v -a -D "cn=ldapadmin,dc=office,dc=localnet" -H
ldap://localhost -x -w secret -f ldapbrowser.ldiff
ldap_initialize( ldap://localhost )
add cn:
ldapbrowser
add sn:
ldapbrowser
add objectClass:
person
top
add userPassword:
{SSHA}stfV4nrgwlBg3K4dReyUFo8KSAHqOjNo
adding new entry "cn=ldapbrowser,dc=office,dc=localnet"
modify complete
server:~ #

ldapbrowser .
. LDAP
LDAP.
server:~ # cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$ | sed -n
"/^access/,$ p"
access to dn=".*,dc=office,dc=localnet"
by self
write
by *
read
server:~ # rcldap restart
Shutting down ldap-server
done
Starting ldap-server
done

19

LDAP --.

server:~ #

NSS LDAP , LDAP


ldapbrowser.
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$
host
127.0.0.1:389
base
dc=office,dc=localnet
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
binddn cn=ldapbrowser,dc=office,dc=localnet
bindpw browser
server:~ #

LDAP .
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

, , .
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

ldapbrowser
read , atest . LDAP
: none , auth
, compare
(, , , ), search (
), read , write .
search .
alekseybb@server:~> su - atest
su: atest
alekseybb@server:~>

. .

shadow root.
server:~ # ls -als /etc/passwd
4 -rw-r--r-1 root
root
server:~ # ls -als /etc/shadow

2184 Jul 16 20:05 /etc/passwd

20
4 -rw-r----server:~ #

LDAP --.
1 root

shadow

1107 Jul 16 20:05 /etc/shadow

,
ldapbrowser userPassword,
. LDAP.
server:~ # cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$ | sed -n
"/^access/,$ p"
access to dn=".*,dc=office,dc=localnet" attr=userPassword
by anonymous
auth
by self
write
by dn="cn=ldapbrowser,dc=office,dc=localnet" read
by *
none
access to dn=".*,dc=office,dc=localnet"
by self
write
by *
read
server:~ #

userPassword,
. DN ldapbrowser self,
, *, . ,
.
anonymous, ,
, ,
anonymous. LDAP ,
LDAP .
server:~ # rcldap restart
Shutting down ldap-server
Starting ldap-server
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:HGqB6dm4QjL5Y:::::::0
server:~ #

done
done

,
.
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> exit
logout
alekseybb@server:~>

. NSS
. , NSS LDAP
LDAP. NSS
LDAP , . ,
LDAP, NSS LDAP LDAP,

21

LDAP --.

,
.
, ,
rootdn .
,
LDAP .
/etc/ldap.conf ldapbrowser
. .
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$
host
127.0.0.1:389
base
dc=office,dc=localnet
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
rootbinddn cn=ldapbrowser,dc=office,dc=localnet
server:~ # echo browser >/etc/ldap.secret
server:~ # chmod 600 /etc/ldap.secret
server:~ # ls -als /etc/ldap.secret
4 -rw------1 root
root
8 Jul 16 21:52 /etc/ldap.secret
server:~ #

NSS
LDAP.
passwd,

. NSS LDAP
passwd,
LDAP ldapmodify, smbldap-passwd.pl .
. -
, PAM,
.
NSS .
. -, ,

. -, NSS
, ,
. , , , NSS LDAP
LDAP,
, LDAP NSS
.

22

LDAP --.

3. PAM.
PAM (Pluggable Autentication Modules)
,
Linux,
.
. NSS LDAP,
PAM , LDAP
NSS. PAM
LDAP NSS. ,
.
3.1. PAM LDAP.
PAM , . ,
LDAP ,
pam_ldap .
server:~ # ls -l `rpm -ql pam_ldap | grep lib`
-rwxr-xr-x 1 root root
41273 Sep 24 2003 /lib/security/pam_ldap.so
server:~ #

LDAP, PAM.
PAM LDAP , NSS.
server:~ # strings `rpm -ql pam_ldap | grep lib` | grep ldap.conf
/etc/ldap.conf
server:~ #

.
.

server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$


host
127.0.0.1:389
base
dc=office,dc=localnet
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
rootbinddn cn=ldapbrowser,dc=office,dc=localnet
server:~ # cat /etc/ldap.secret
browser
server:~ # ls -als /etc/ldap.secret
4 -rw------1 root
root
8 Jul 16 21:52 /etc/ldap.secret
server:~ #

NSS LDAP,
NSS.
server:~ # cat /etc/nsswitch.conf >/etc/nsswitch.conf.ldap
server:~ # cat /etc/nsswitch.conf.ldap | grep -v "^\(passwd\|shadow\|group\)"
>/etc/nsswitch.conf
server:~ # cat >>/etc/nsswitch.conf<<EOT

23

LDAP --.

passwd: files
shadow: files
group: files
EOT
server:~ #
server:~ # cat /etc/nsswitch.conf | grep "^\(passwd\|shadow\|group\)"
passwd: files
shadow: files
group: files
server:~ # cat /etc/nsswitch.conf >/etc/nsswitch.conf.noldap
server:~ #

, .
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:v3uly2DUUdlNo:12615:1:99999:14:::
server:~ #

NSS LDAP, LDAP,


,
PAM LDAP .
PAM LDAP
, , , pam_ldap.
Linux PAM SuSE,
, -, /etc/pam.d,
.
-. PAM 4-
( PAM - facility): auth - , account , password - session .
, , PAM
.
, (PAM_SUCCESS), (PAM_AUTH_ERR),
(PAM_IGNORE) .
,
, ignore, ok,
die, , .
, ,
. :
requisite

;
required
, ;
sufficient
,
, required ,
, ;

24

LDAP --.

optional
, .
, PAM su.
server:~ # cat /etc/nsswitch.conf.noldap >/etc/nsswitch.conf
server:~ # cat /etc/shadow.atest | grep -v ^atest >/etc/shadow
server:~ # cat /etc/passwd.atest | grep -v ^atest >/etc/passwd
server:~ # cat /etc/security/pam_unix2.conf | grep -v ^# | grep -v ^$
auth:
nullok debug
account:
debug
password:
nullok debug
session:
debug none
server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$
auth
sufficient
pam_rootok.so
auth
required
pam_unix2.so
nullok #set_secrpc
account required
pam_unix2.so
password required
pam_pwcheck.so nullok
password required
pam_unix2.so
nullok use_first_pass use_authtok
session required
pam_unix2.so
debug # none or trace
server:~ # getent passwd | grep atest
server:~ # getent shadow | grep atest
server:~ #

NSS LDAP , atest ,


atest LDAP
PAM LDAP. .
alekseybb@server:~> su -c "id" atest
su: atest
alekseybb@server:~>

pam_unix2 pam_ldap sufficient,



. , .
server:~
auth
auth
auth
account
account
password
password
password
account
session
server:~

# cat /etc/pam.d/su | grep -v ^# | grep -v ^$


sufficient
pam_rootok.so
sufficient
pam_ldap.so
nullok
required
pam_unix2.so
nullok #set_secrpc
sufficient
pam_ldap.so
required
pam_unix2.so
required
pam_pwcheck.so nullok
sufficient
pam_ldap.so
nullok use_first_pass use_authtok
required
pam_unix2.so
nullok use_first_pass use_authtok
sufficient
pam_ldap.so
required
pam_unix2.so
debug # none or trace
#

atest.
alekseybb@server:~> su -c "id" atest
su: atest
alekseybb@server:~>

25

LDAP --.

, NSS LDAP
. , ,
passwd, su .
- ,
nsswitch.conf passwd .
server:~ # cat /etc/nsswitch.conf | grep ^passwd
passwd: files ldap
server:~ #

.
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513 =513,14(uucp),16(dialout),17(audio),33(video)
alekseybb@server:~>

shadow, , NSS ,
,
pam_ldap.
, PAM LDAP, ,
passwd NSS LDAP.
3.2. PAM LDAP.
LDAP ,
- ldapbrowser
, NSS
. NSS .
.
LDAP .
server:~ # cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$ | sed -n
"/^access/,$ p"
access to dn=".*,dc=office,dc=localnet" attr=userPassword
by anonymous
auth
by self
write
by *
none
access to dn=".*,dc=office,dc=localnet"
by self
write
by *
read
server:~ #

- . .
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513 =513,14(uucp),16(dialout),17(audio),33(video)
alekseybb@server:~>

. {crypt}

26

LDAP --.

NSS, . {ssha}
, smbldap-passwd.pl
.
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513 =513,14(uucp),16(dialout),17(audio),33(video)
alekseybb@server:~>

.
PAM LDAP:
.
, Samba3 {ssha}.
3.3. pam_unix2.
LDAP PAM, SuSE,
use_ldap pam_unix2.
pam_ldap , pam_unix2 sufficient.
, pam_unix2, /etc/security.
server:~ # cat /etc/security/pam_unix2.conf | grep -v ^# | grep -v ^$
auth:
nullok
account:
password:
nullok
session:
none
server:~ #

SuSE pam_ldap LDAP


pam_unix2 use_ldap auth, account,
password.
YaST2 .
, . use_ldap PAM-,
, pam_unix2, SuSE, session
. debug,
PAM su.
auth session. Password , ,
, , - .
server:~ # cat /etc/security/pam_unix2.conf | grep -v ^# | grep -v ^$
auth:
nullok use_ldap
account:
use_ldap
password:
nullok use_ldap
session:
none
server:~ #

/etc/pam.d/su .
server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$

27
auth
auth
account
password
password
session
server:~

LDAP --.
sufficient
required
required
required
required
required
#

pam_rootok.so
pam_unix2.so
pam_unix2.so
pam_pwcheck.so
pam_unix2.so
pam_unix2.so

nullok #set_secrpc
nullok
nullok use_first_pass use_authtok
debug # none or trace

pam_unix2.
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513 =513,14(uucp),16(dialout),17(audio),33(video)
alekseybb@server:~>

,
-.
3.4. pam_unix2.
, NSS,
, , .
3.4.1. unix2 1.
.
server:~ # cat /etc/passwd.atest >/etc/passwd
server:~ # cat /etc/shadow.atest >/etc/shadow
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
server:~ #

.
alekseybb@server:~> su -c "id"
Password:
uid=1007(atest) gid=100(users)
(audio),33(video)
alekseybb@server:~>
alekseybb@server:~> su -c "id"
Password:
uid=1007(atest) gid=100(users)
(audio),33(video)
alekseybb@server:~>

atest
=100(users),14(uucp),16(dialout),17
atest
=100(users),14(uucp),16(dialout),17

, ! LDAP .
3.4.2. unix2 2.
passwd.

28

LDAP --.

server:~ # cat /etc/passwd.atest | grep -v atest >/etc/passwd


server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
server:~ #

.
alekseybb@server:~> su -c "id"
Password:
uid=1002(atest) gid=513(Domain
(dialout),17(audio),33(video)
alekseybb@server:~> su -c "id"
Password:
uid=1002(atest) gid=513(Domain
(dialout),17(audio),33(video)
alekseybb@server:~>

atest
Users) =513(Domain Users),14(uucp),16
atest
Users) =513(Domain Users),14(uucp),16

LDAP . ,
,
-
.
3.4.3. unix2 3.
shadow.
server:~ # cat /etc/shadow.atest | grep -v ^atest >/etc/shadow
server:~ # getent passwd | grep atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
server:~ #

.
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
alekseybb@server:~>

, ,
LDAP.
3.4.4. unix2 4.
passwd.
server:~ # cat /etc/passwd.atest >/etc/passwd

29

LDAP --.

server:~ # getent passwd | grep atest


atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
server:~ #

.
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~> su -c "id" atest
Password:
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
alekseybb@server:~>

, ,
.
3.4.5. unix2 5.
, .
server:~ # cat /etc/shadow.atest | grep -v ^atest >/etc/shadow
server:~ # echo "atest:*:::::::" >>/etc/shadow
server:~ # getent passwd | grep atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep atest
atest:*:::::::
server:~ #

.
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~> su -c "id" atest
Password:
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
alekseybb@server:~>

. .
.
, NSS LDAP.

30

LDAP --.
unix2 1

unix2 2

unix2 3

unix2 4

unix2 5

passwd

shadow

pass

LDAP

LDAP

LDAP

id

passwd

LDAP

LDAP

passwd

passwd

4 5

-passwd

-LDAP

OK

-passwd

-passwd

. use_ldap pam_unix2,
SuSE, , YaST2, .
, LDAP,
, LDAP . 4 5.
3.5. pam_ldap.
LDAP PAM,
pam_ldap.
, system-auth, pam_ldap
, - ,
LDAP. SuSE .
su, -
su.
pam_ldap sufficient
, , ,
pam_unix2 use_ldap . ,
sufficient .
. sufficient : success=done,
new_authtok_reqd=done, default=ignore.
, ,
.
. - su
.
<task>
<task>
<task>

sufficient pam_unix2.so
sufficient
pam_ldap.so
required
pam_deny.so

.
<task>
<task>

sufficient pam_unix2.so
required
pam_ldap.so

, LDAP,
, , . sufficient
.
, ,
required. :

31

LDAP --.

[success=done new_authtok_reqd=done user_unknown=ignore default=bad]


su
- , ,
LDAP pam_unix2.
:
[success=done new_authtok_reqd=done user_unknown=ignore authinfo_unavail=ignore
default=bad]
, pam_unix2 ,
. !
SuSE, pam_unix2,
PAM_AUTH_ERR,
.
. .
,
pam_unix2, YaST
pam_unix2, SuSE pam_unix ,
pam_unix2.
server:~ # ls -il /lib/security/pam_unix*.so
112340 -rwxr-xr-x 2 root root 47468 Sep 23
112340 -rwxr-xr-x 2 root root 47468 Sep 23
112329 -rwxr-xr-x 4 root root 51566 Sep 23
lib/security/pam_unix_acct.so
112329 -rwxr-xr-x 4 root root 51566 Sep 23
lib/security/pam_unix_auth.so
112329 -rwxr-xr-x 4 root root 51566 Sep 23
lib/security/pam_unix_passwd.so
112329 -rwxr-xr-x 4 root root 51566 Sep 23
lib/security/pam_unix_session.so
server:~ #

2003 /lib/security/pam_unix.so
2003 /lib/security/pam_unix2.so
2003 /
2003 /
2003 /
2003 /

, pam_unix_* PAM.
pam_unix2 auth
.
.
server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$
auth
sufficient
pam_rootok.so
auth [success=done new_authtok_reqd=done user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_unix_auth.so nullok
auth
required
pam_ldap.so
use_first_pass
account sufficient
pam_unix2.so
account required
pam_ldap.so
password required
pam_pwcheck.so nullok
password sufficient
pam_unix2.so
nullok use_first_pass use_authtok
password required
pam_ldap.so
nullok use_first_pass use_authtok
session sufficient
pam_unix2.so
session required
pam_ldap.so

32

LDAP --.

server:~ #

use_first_pass pam_ldap LDAP


, , .
use_authtok ,
.
, pam_unix2
pam_ldap .

.
.
3.6. pam_ldap.
, pam_unix2.
3.6.1. pam 1.
, ,
.
alekseybb@server:~> su -c "id" atest
Password:
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~>

, LDAP.
3.5.2. pam 2.
passwd .
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
alekseybb@server:~>
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~>

shadow, LDAP.
3.6.3. pam 3.

33

LDAP --.

.
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~> su -c "id" atest
Password:
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
alekseybb@server:~>

LDAP.
3.6.4. pam 4.
, passwd, shadow.
alekseybb@server:~> su -c "id" atest
Password:
su:
alekseybb@server:~> su -c "id" atest
Password:
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
alekseybb@server:~>

LDAP,
.
3.6.5. pam 5.
, shadow
. NSS LDAP
.
.
pam 1

pam 2

pam 3

pam 4

pam 5

passwd

shadow

pass

shadow

shadow

LDAP

LDAP

id

passwd

LDAP

LDAP

passwd

1 5

OK

-LDAP

OK

???

OK

,
NSS LDAP. 1 5.
3.7. passwd pam_unix2.

34

LDAP --.

, PAM, ,
. ,
, root. passwd,
PAM - /etc/pam.d.
.
server:~ # cat /etc/pam.d/passwd | grep -v ^# | grep -v ^$
auth required
pam_unix2.so
nullok
account required
pam_unix2.so
password required
pam_pwcheck.so nullok
password required
pam_unix2.so
nullok use_first_pass use_authtok
session required
pam_unix2.so
server:~ #

pam_pwcheck,
. .
server:~ # cat /etc/pam.d/passwd | grep -v ^# | grep -v ^$
auth required
pam_unix2.so
nullok
account required
pam_unix2.so
password required
pam_unix2.so
nullok
session required
pam_unix2.so
server:~ #

. .
server:~ # getent passwd | grep ^atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep ^atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
atest:x:::::::0
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: e3NzaGF9b2trRVEyUXR2OUpxUzRKODVUR2hwN05qMEZzUnh0Nlk=
server:~ #

SuSE
pam_unix2 use_ldap.
server:~ # cat /etc/security/pam_unix2.conf | grep -v ^# | grep -v ^$
auth:
nullok use_ldap
account:
use_ldap
password:
md5 nullok use_ldap
session:
none
server:~ #

. , passwd
atest su ,
. passwd,
LDAP .

35

LDAP --.

atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video)
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Unknown error
Password changed
atest@server:~>

.
server:~ # getent passwd | grep ^atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep ^atest
atest:$1$FzzzkMxz$krspW4ep1IhGdqQg5C.zE0:12620:1:99999:14:::
atest:x:::::::0
server:~ #

LDAP , ,
Enter,
,
.
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Old Password:
New password:
Re-enter new password:
Password changed
atest@server:~>

.
server:~ # getent shadow | grep ^atest
atest:$1$AdwzCEtz$7qZwqb7BTjqC5tnTAqB2x0:12620:1:99999:14:::
atest:x:::::::0
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: e3NzaGF9b2trRVEyUXR2OUpxUzRKODVUR2hwN05qMEZzUnh0Nlk=
server:~ #

, ? , LDAP

36

LDAP --.

.
, .
.
passwd[31521]: pam_unix2: pam_sm_chauthtok() called
slapd[27700]: conn=65 fd=15 ACCEPT from IP=127.0.0.1:35834 (IP=127.0.0.1:389)
slapd[27720]: conn=65 op=0 BIND dn="cn=ldapbrowser,dc=office,dc=localnet"
method=128
slapd[27720]: conn=65 op=0 BIND dn="cn=ldapbrowser,dc=office,dc=localnet"
mech=simple ssf=0
slapd[27720]: conn=65 op=0 RESULT tag=97 err=0 text=
slapd[27720]: conn=65 op=1 SRCH base="ou=People,dc=office,dc=localnet" scope=1
filter="(uid=atest)"
slapd[27720]: conn=65 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[28038]: conn=65 op=2 BIND anonymous mech=implicit ssf=0
slapd[28038]: conn=65 op=2 BIND dn="uid=atest,ou=People,dc=office,dc=localnet"
method=128
slapd[28038]: conn=65 op=2 BIND dn="uid=atest,ou=People,dc=office,dc=localnet"
mech=simple ssf=0
slapd[28038]: conn=65 op=2 RESULT tag=97 err=0 text=
slapd[28038]: conn=65 op=3 BIND anonymous mech=implicit ssf=0
slapd[28038]: conn=65 op=3 BIND dn="cn=ldapbrowser,dc=office,dc=localnet"
method=128
slapd[28038]: conn=65 op=3 BIND dn="cn=ldapbrowser,dc=office,dc=localnet"
mech=simple ssf=0
slapd[28038]: conn=65 op=3 RESULT tag=97 err=0 text=
passwd[31521]: pam_unix2: pam_ldap/pam_sm_chauthtok() returned 0
passwd[31521]: pam_unix2: pam_sm_chauthtok() called
slapd[27720]: conn=65 op=4 MOD dn="uid=atest,ou=People,dc=office,dc=localnet"
slapd[27720]: conn=65 op=4 MOD attr=userPassword
slapd[27720]: conn=65 op=4 RESULT tag=103 err=50 text=
passwd[31521]: pam_ldap: ldap_modify_s Insufficient access
passwd[31521]: pam_unix2: pam_ldap/pam_sm_chauthtok() returned 6
slapd[28038]: conn=65 op=5 UNBIND
slapd[28038]: conn=65 fd=15 closed

, pam_unix2
-,
.
, .
server:~ #
access to
by
by
by
by
access to
by
by
server:~ #

cat /etc/openldap/slapd.access.conf | grep -v ^# | grep -v ^$


dn=".*,dc=office,dc=localnet" attr=userPassword
anonymous
auth
self
write
dn="cn=ldapbrowser,dc=office,dc=localnet" write
*
none
dn=".*,dc=office,dc=localnet"
self
write
*
read

37

LDAP --.

atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for atest
atest@server:~>

, LDAP.
server:~ # getent shadow | grep ^atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::
atest:x:::::::0
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: bGF0ZXN0Mg==
server:~ #

, LDAP,
. LDAP,
. , , ,
LDAP.
,
.
pam_unix2
LDAP.
, {clear}.
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: bGF0ZXN0Mg==
server:~ # echo bGF0ZXN0Mg== | mimencode -u ; echo
latest2
server:~ #

LDAP.
PAM .
clear md5 , . .
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$
host
127.0.0.1:389
base
dc=office,dc=localnet
pam_password
exop
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
rootbinddn cn=ldapbrowser,dc=office,dc=localnet

38

LDAP --.

server:~ #

, PAM
LDAP BIND , PAM
{ssha}
. , LDAP,
PAM
PAM. ,
, LDAP,
.
auth, password.
, , .
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: e1NNRDV9bS8yQytsNWJueWxzSkF1UFh6azh6aE44eDF3PQ==
server:~ #
server:~ # echo e1NNRDV9bS8yQytsNWJueWxzSkF1UFh6azh6aE44eDF3PQ== | mimencode
-u ; echo
{SMD5}m/2C+l5bnylsJAuPXzk8zhN8x1w=
server:~ #

{smd5}. ,
pam .
3.8. passwd pam_unix2.
,
, .
3.8.1. passwd pam_unix2 1.
.
3.7. . ,
, . ,
, LDAP.
3.8.2. passwd pam_unix2 2.
, passwd.
server:~ # cat /etc/passwd.atest | grep -v ^atest >/etc/passwd
server:~ # getent passwd | grep ^atest
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep ^atest
atest:q1MWt83DAs2IY:12615:1:99999:14:::

39

LDAP --.

atest:x:::::::0
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: e3NzaGF9b2trRVEyUXR2OUpxUzRKODVUR2hwN05qMEZzUnh0Nlk=
server:~ #

LDAP, .
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for atest
atest@server:~>

LDAP , . LDAP
, .
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
Password change aborted
Old Password:
passwd: Authentication failure
atest@server:~>

.
3.8.3. passwd pam_unix2 3.
.
,
LDAP.
alekseybb@server:~> su - atest
Password:
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for atest
atest@server:~> exit
logout
alekseybb@server:~>

,
.

40

LDAP --.

3.8.4. passwd pam_unix2 4 5.


, passwd,
shadow , ,
.
.
unix2 1

unix2 2

unix2 3

unix2 4

unix2 5

passwd

shadow

pass

LDAP

LDAP

LDAP

id

passwd

LDAP

LDAP

passwd

passwd

Old pass

LDAP

LDAP

LDAP

LDAP

LDAP

LDAP

LDAP

LDAP

3 5 ?

OK

???

OK

???

???

. ,
(1 3),
.
.
3.9. passwd pam_ldap.
pam_unix2 pam_unix_passwd.
SuSE pam_unix .
-, , ,
invalid pointer . , -,
, Changing
password for..., , passwd,
pam_unix_passwd.
.
.
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
atest@server:~>

,
shadow. LDAP .
LDAP,

41

LDAP --.

LDAP.
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
LDAP password information changed for atest
atest@server:~>

, shadow,
.
- passwd.
server:~ # cat /etc/pam.d/passwd | grep -v "^\(#\|$\)"
auth [success=done new_authtok_reqd=done user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_unix_auth.so
auth
required
pam_ldap.so
use_first_pass
account sufficient
pam_unix2.so
account required
pam_ldap.so
password sufficient
pam_unix_passwd.so
password required
pam_ldap.so
use_first_pass use_authtok debug
session sufficient
pam_unix2.so
session required
pam_ldap.so
server:~ #

, LDAP
, -.
LDAP.
.
server:~ #
access to
by
by
by
access to
by
by
server:~ #

cat /etc/openldap/slapd.access.conf | grep -v "^\(#\|$\)"


dn=".*,dc=office,dc=localnet" attr=userPassword
anonymous
auth
self
write
*
none
dn=".*,dc=office,dc=localnet"
self
write
*
read

, .
.
, rootdn,

. , LDAP
ldapbrowser LDAP
.
server:~ # cat /etc/ldap.conf | grep -v "^\(#\|$\)"
host
127.0.0.1:389
base
dc=office,dc=localnet

42

LDAP --.

pam_password
exop
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
binddn cn=ldapbrowser,dc=office,dc=localnet
bindpw browser
server:~ #

LDAP
. , slapd.access.conf,
,
, .
server:~ # cat /etc/ldap.conf | grep -v "^\(#\|$\)"
host
127.0.0.1:389
base
dc=office,dc=localnet
pam_password
exop
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
server:~ #

, . ,
, , .
, ldapbrowser
LDAP , . ?
? !
, , NSS
LDAP. , , NSS LDAP
.
- NSS LDAP
LDAP ,
.
PAM. password.
server:~
password
password
server:~

# cat /etc/pam.d/passwd | grep ^password


sufficient pam_unix_passwd.so
required
pam_ldap.so
try_first_pass ignore_authinfo_unavail
#

sufficient. ,
password pam_chauthtok,
, ,
. ,
, ,
. ,
. use_first_pass use_authtok
pam_ldap LDAP
. try_first_pass
LDAP.

43

LDAP --.

ignore_authinfo_unavail
LDAP. .
server:~ # cat /etc/pam.d/passwd | grep -v "^\(#\|$\)"
auth [success=done new_authtok_reqd=done user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_unix_auth.so
auth
required
pam_ldap.so
use_first_pass
account sufficient
pam_unix2.so
account required
pam_ldap.so
password sufficient
pam_unix_passwd.so
password required
pam_ldap.so
try_first_pass ignore_authinfo_unavail
session sufficient
pam_unix2.so
session required
pam_ldap.so
server:~ #


pam_ldap .
auth - su, ,
password.
pam_pwcheck.

3.10. passwd pam_ldap.


,
pam_unix2. 5 ,
pam_ldap, .
.
3.10.1. passwd pam_ldap 1.
.
.
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video),513(Domain Users)
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
atest@server:~>

.
LDAP, LDAP.
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video),513(Domain Users)
atest@server:~> passwd

44

LDAP --.

Changing password for atest.


Changing password for atest
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
LDAP password information changed for atest
atest@server:~>

, ,
. .
server:~ # getent passwd | grep ^atest
atest:x:1007:100::/home/atest:/bin/bash
atest:x:1002:513:Office User:/home/atest:/bin/bash
server:~ # getent shadow | grep ^atest
atest:FR.4K6u/EGyjA:12626:0:::::
atest:x:12626::::::0
server:~ # ldapsearch -LLL -H ldap://localhost -D
"cn=ldapadmin,dc=office,dc=localnet" -x -w secret "(uid=atest)" userPassword
dn: uid=atest,ou=People,dc=office,dc=localnet
userPassword:: e1NNRDV9L2ZJbTJaNGlOZTZ0QldWd3VSQW5URzlLTUtJPQ==
server:~ # echo e1NNRDV9L2ZJbTJaNGlOZTZ0QldWd3VSQW5URzlLTUtJPQ== | mimencode
-u ; echo
{SMD5}/fIm2Z4iNe6tBWVwuRAnTG9KMKI=
server:~ #

3.10.2. passwd pam_ldap 2.


passwd.
shadow, LDAP.

LDAP.
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for atest
atest@server:~>

LDAP. , PAM
,
LDAP.
3.10.3. passwd pam_ldap 3.

45

LDAP --.

,
.
atest@server:~> id
uid=1002(atest) gid=513(Domain Users) =513(Domain Users),14(uucp),16
(dialout),17(audio),33(video)
atest@server:~> passwd
Changing password for atest.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for atest
atest@server:~>

3.10.4. passwd pam_ldap 4.


, shadow, passwd, PAM
.
, .
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video),513(Domain Users)
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
LDAP Password incorrect: try again
passwd: Authentication failure
atest@server:~>


LDAP, LDAP, .
atest@server:~> id
uid=1007(atest) gid=100(users) =100(users),14(uucp),16(dialout),17
(audio),33(video),513(Domain Users)
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
LDAP password information changed for atest
atest@server:~>

46

LDAP --.
pam 1

pam 2

pam 3

pam 4

pam 5

passwd

shadow

pass

shadow

shadow

LDAP

LDAP

id

passwd

LDAP

LDAP

passwd

Old pass

pass/LDAP

LDAP

LDAP

LDAP

shad/ALL

LDAP

LDAP

LDAP

2 5

OK?

???

OK

???

OK


1. , ,
.
,
, ,
LDAP, .
3.11. PAM?
,
PAM . , PAM
, , .
PAM
. .
1. PAM ,
. ,
winbind. PAM
,
, .
,
,
.
2. , PAM
( PAM: /chain
/facility). ,
,
. ,
,
. , PAM,
UNIX, POSIX.
, MS Windows
. ,

. , , ,

47

LDAP --.

UNIX passwd shadow. ,


. NIS LDAP UNIX. ,
, .
, UNIX.

-. ,
, , ,
.
3. , PAM
, pam_unix2, ,
-, ,
. ,
pam_unix2 SuSE
, YaST2. ,
PAM.

48

LDAP --.

A. .
,
.
.1. root- LDAP.
server:~ # cat root.ldif
dn: uid=root,ou=People,dc=office,dc=localnet
uid: root
cn: root
sn: root
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 12089
shadowMax: 10000
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
userPassword: {CRYPT}.vSlVrIfg2SZ2
server:~ #

lroot.
.2. ldapbrowser.
server:~ # cat ldapbrowser.ldiff
dn: cn=ldapbrowser,dc=office,dc=localnet
cn: ldapbrowser
sn: ldapbrowser
objectClass: person
objectClass: top
userPassword: {SSHA}stfV4nrgwlBg3K4dReyUFo8KSAHqOjNo
server:~ #

bowser.
A.3. LDAP.
server:~ # cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/samba3.schema
pidfile
/var/run/slapd/slapd.pid
argsfile
/var/run/slapd/slapd.args
modulepath
/usr/lib/openldap/modules
replogfile
/var/lib/ldap/replica.log
database
ldbm

49

LDAP --.

cachesize
40000
dbcachesize
60000000
suffix
"dc=office,dc=localnet"
rootdn
"cn=ldapadmin,dc=office,dc=localnet"
rootpw
{SSHA}K6n0nTsvOWxO1xPGBN5HoZCAsaO0wV7p
directory
/var/lib/ldap
index
objectClass
eq
index
ou,cn,sn,displayName
eq,pres,sub
index
uidNumber,gidNumber
eq
index
sambaSID
eq
index
memberUID,uid
eq,pres,sub
index
sambaPrimaryGroupSID
eq
index
sambaDomainName
eq
index
default
sub
include
/etc/openldap/slapd.access.conf
server:~ #

secret.
A.4. LDAP.
server:~ #
access to
by
by
by
access to
by
by
server:~ #

cat /etc/openldap/slapd.access.conf | grep -v ^# | grep -v ^$


dn=".*,dc=office,dc=localnet" attr=userPassword
anonymous
auth
self
write
*
none
dn=".*,dc=office,dc=localnet"
self
write
*
read

.5. LDAP.
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$
host
127.0.0.1:389
base
dc=office,dc=localnet
pam_password
exop
nss_base_passwd
ou=People,dc=office,dc=localnet?one
nss_base_shadow
ou=People,dc=office,dc=localnet?one
nss_base_group
ou=Groups,dc=office,dc=localnet?one
server:~ #

.
server:~ # cat /etc/ldap.secret
browser
server:~ # ls -l /etc/ldap.secret
-rw------1 root
root
server:~ #

.6. NSS.

8 Jul 16 21:52 /etc/ldap.secret

50

LDAP --.

server:~ # cat /etc/nsswitch.conf | grep -v ^# | grep -v ^$


passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
networks:
files dns
services:
files
protocols:
files
rpc:
files
ethers: files
netmasks:
files
netgroup:
files
publickey:
files
bootparams:
files
automount:
files nis
aliases:
files
server:~ #

A.7.- PAM su.


server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$
auth
sufficient
pam_rootok.so
auth [success=done new_authtok_reqd=done user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_unix_auth.so
auth
required
pam_ldap.so
use_first_pass
account sufficient
pam_unix2.so
account required
pam_ldap.so
password required
pam_pwcheck.so nullok
password sufficient
pam_unix2.so
nullok use_first_pass use_authtok
password required
pam_ldap.so
use_first_pass use_authtok
session sufficient
pam_unix2.so
session required
pam_ldap.so
server:~ #

.8.- PAM passwd.


server:~ # cat /etc/pam.d/passwd | grep -v "^\(#\|$\)"
auth [success=done new_authtok_reqd=done user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_unix_auth.so
auth
required
pam_ldap.so
use_first_pass
account sufficient
pam_unix2.so
account required
pam_ldap.so
password sufficient
pam_unix_passwd.so
password required
pam_ldap.so
try_first_pass ignore_authinfo_unavail
session sufficient
pam_unix2.so
session required
pam_ldap.so
server:~ #

51

LDAP --.

. , , .
, .
. ,
. , SuSE Linux v9.0.
,
.
.1.
,
init=/bin/sh
. ,
mount -o remount,rw /
.
.2. NSS LDAP
.
. {crypt}
.
nss_ldap-207-80.
.3. PAM LDAP SuSE pam_unix2,
pam_ldap
, LDAP,
. YaST2 pam_unix2.
pam-modules-9.0-5, pam_ldap-164-42, yast2-ldap-client-2.8.12-3
.4. pam_ldap nss_ldap,
,
.
.
server:~ # fuser -v /lib/libnss_ldap.so.2 | grep ....m | awk '{print $4}' |
sort -u
amavisd
clamd
httpd
mc
nagios
named
pickup
qmgr
slapd
smbd
sshd
su
server:~ #

52

LDAP --.

, LDAP
NSS LDAP. PAM
,
LDAP ,
. ,
.
pam_ldap-164-42, nss_ldap-207-80.
.5. pam_ldap
- ,
, , ,

, {crypt}, {ssha} {smd5}.
pam_ldap-164-42, nss_ldap-207-80, shadow-4.0.3-182.
.6. PAM LDAP SuSE pam_unix2,
passwd, , LDAP
. LDAP
ldap.conf, .
, ,
LDAP .
pam-modules-9.0-5, pam_ldap-164-42, yast2-ldap-client-2.8.12-3

53

LDAP --.

. SuSE pam-0.77.
.1. .
pam_unix_passwd SuSE ,
,
free.
atest@server:~> passwd
Changing password for atest.
Changing password for atest
(current) UNIX password:
free(): invalid pointer 0x4007b940!
Enter new UNIX password:
Retype new UNIX password:
free(): invalid pointer 0x4007b940!
atest@server:~>

, support.c
_unix_verify_password
.
if (pp)
_pam_delete(pp);

_pam_delete ,
. , _pam_overwrite,
, , , _pam_drop,
free. , pp,
, ,
bigcrypt. .
_pam_delete _pam_overwrite. ,
pam-0.75, ALT Linux, . , SuSE
9.0, SuSE 9.1 , , , .
, ,
, pam_unix_* , , SuSE
.
, pp
.
if (pp)
_pam_overwrite(pp);

, pam_unix_passwd.c
pam_sm_chauthtok . ,
_pam_delete .
/* update the password database(s) -- race conditions..? */
retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,

54

LDAP --.
remember);
_pam_delete(tpass);
pass_old = pass_new = NULL;

_pam_overwrite.
/* update the password database(s) -- race conditions..? */
retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
remember);
_pam_overwrite(tpass);
pass_old = pass_new = NULL;


pam-0.77. *.orig . ,
, . . ,
spec, .
SuSE pam-0.77,
.

.
_pam_delete pam-0.77, , ,
.
.2. .
passwd ,
pam_unix_passwd pam_ldap,
.
pam_sm_chauthtok pam_unix_passwd.c.
i=0;
while((retval = lckpwdf()) != 0 && i < 100) {
usleep(1000);
}
if(retval != 0) {
return PAM_AUTHTOK_LOCK_BUSY;
}

, .
.
i=0;
while((retval = lckpwdf()) != 0 && i < 100) {
usleep(1000);
i++;
}
if(retval != 0) {
return PAM_AUTHTOK_LOCK_BUSY;
}

55

LDAP --.

SuSE 9.0, pam-0.75 ALT Linux. SuSE 9.1


. PAM
CVS.
.3. .
,
pam_unix_passwd.c , pam_sm_chauthtok
.
, , PAM_USER_UNKNOWN.
/etc, ls.
server:~ # ls -l /etc/.*lock
-rw------1 root
Domain Users
server:~ #

0 Jul 26 12:26 /etc/.pwd.lock

ulckpwdf , .
if (user == NULL || !isalnum(*user)) {
_log_err(LOG_ERR, pamh, "bad username [%s]", user);
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
return PAM_USER_UNKNOWN;
}
if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
_log_err(LOG_DEBUG, pamh, "username [%s] obtained",
user);
} else {
if (on(UNIX_DEBUG, ctrl))
_log_err(LOG_DEBUG, pamh,
"password - could not identify user");
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
return retval;
}

SuSE 9.0. 9.1 , ALT Linux


.
, .2 .3
rpm PAM,
. , ... ?!

Оценить