EMOS无法验证openldap用户

baoroushi

前面我发了一个OPENLDAP+EMOS的帖子，在EMOS服务器里安装好了openldap客户端，并ldapsearch 了OPENLDAP服务的目录结构可以查看到，说明是和OPENLDAP服务器是可以连接上的，ID OPENLDAP的用户也可以查看到UID号等信息如下面所示：

1. [root@webmail ~]# ldapsearch -x -b "dc=promise,dc=com"
   
2. # extended LDIF
   
3. #
   
4. # LDAPv3
   
5. # base <dc=promise,dc=com> with scope subtree
   
6. # filter: (objectclass=*)
   
7. # requesting: ALL
   
8. #
   
9. 
   
10. # promise.com
    
11. dn: dc=promise,dc=com
    
12. dc: promise
    
13. objectClass: dcObject
    
14. objectClass: organizationalUnit
    
15. ou: promise Dot com
    
16. 
    
17. # Manager, promise.com
    
18. dn: cn=Manager,dc=promise,dc=com
    
19. objectClass: top
    
20. objectClass: organizationalRole
    
21. cn: Manager
    
22. 
    
23. # extmailAccount, promise.com
    
24. dn: ou=extmailAccount,dc=promise,dc=com
    
25. objectClass: organizationalUnit
    
26. ou: extmailAccount
    
27. 
    
28. # extmailAlias, promise.com
    
29. dn: ou=extmailAlias,dc=promise,dc=com
    
30. objectClass: organizationalUnit
    
31. ou: extmailAlias
    
32. 
    
33. # extmailManager, promise.com
    
34. dn: ou=extmailManager,dc=promise,dc=com
    
35. objectClass: organizationalUnit
    
36. ou: extmailManager
    
37. 
    
38. # promise.com, extmailAccount, promise.com
    
39. dn: virtualDomain=promise.com,ou=extmailAccount,dc=promise,dc=com
    
40. virtualDomain: promise.com
    
41. description: A virtualDomain for promise.com
    
42. hashDirPath: A0/B0
    
43. Transport: virtual:
    
44. domainMaxQuota: 1073741824
    
45. domainMaxUsers: 50
    
46. domainMaxAlias: 50
    
47. domainMaxNetStore: 1073741824
    
48. defaultQuota: 5242880
    
49. defaultNetStore: 5242880
    
50. defaultExpire: 1y
    
51. disablesmtpd: 0
    
52. disablesmtp: 0
    
53. disablewebmail: 0
    
54. disablenetdisk: 0
    
55. disableimap: 1
    
56. disablepop3: 0
    
57. active: 1
    
58. expireDate: 2015-10-01
    
59. createDate: 2007-02-14 13:47:56
    
60. objectClass: top
    
61. objectClass: extmailDomain
    
62. 
    
63. # postmaster@promise.com, promise.com, extmailAccount, promise.com
    
64. dn: mail=postmaster@promise.com,virtualDomain=promise.com,ou=extmailAccount,dc
    
65. =promise,dc=com
    
66. cn: Test user
    
67. uid: test
    
68. mail: postmaster@promise.com
    
69. virtualDomain: promise.com
    
70. mailMessageStore: promise.com/postmaster/Maildir/
    
71. homeDirectory: promise.com/postmaster
    
72. userName: postmaster@promise.com
    
73. mailQuota: 104857600S
    
74. netdiskQuota: 52428800S
    
75. uidNumber: 1000
    
76. gidNumber: 1000
    
77. active: 1
    
78. disablesmtpd: 0
    
79. disablesmtp: 0
    
80. disablewebmail: 0
    
81. disablenetdisk: 0
    
82. disableimap: 0
    
83. disablepop3: 0
    
84. expireDate: 2015-10-01
    
85. createDate: 2007-02-14 17:56:33
    
86. objectClass: top
    
87. objectClass: uidObject
    
88. objectClass: extmailUser
    
89. 
    
90. # support@promise.com, extmailAlias, promise.com
    
91. dn: mailLocalAddress=support@promise.com,ou=extmailAlias,dc=promise,dc=com
    
92. mailLocalAddress: support@promise.com
    
93. virtualDomain: promise.com
    
94. mail: postmaster@promise.com
    
95. active: 1
    
96. objectClass: extmailAlias
    
97. 
    
98. # root@promise.com, extmailManager, promise.com
    
99. dn: mail=root@promise.com,ou=extmailManager,dc=promise,dc=com
    
100. cn: root
     
101. uid: root
     
102. mail: root@promise.com
     
103. managerType: admin
     
104. active: 1
     
105. question: who are you?
     
106. answer: postmaster
     
107. disablePasswdChange: 0
     
108. createDate: 2007-02-14 18:32:14
     
109. expireDate: 2015-08-01
     
110. objectClass: top
     
111. objectClass: extmailManager
     
112. 
     
113. # user, promise.com
     
114. dn: ou=user,dc=promise,dc=com
     
115. ou: user
     
116. objectClass: organizationalUnit
     
117. 
     
118. # sam, user, promise.com
     
119. dn: uid=sam,ou=user,dc=promise,dc=com
     
120. uid: sam
     
121. cn: sam
     
122. objectClass: account
     
123. objectClass: posixAccount
     
124. objectClass: top
     
125. objectClass: shadowAccount
     
126. shadowLastChange: 14323
     
127. shadowMax: 99999
     
128. shadowWarning: 7
     
129. loginShell: /bin/bash
     
130. uidNumber: 1005
     
131. gidNumber: 1005
     
132. homeDirectory: /home/sam
     
133. 
     
134. # sz, user, promise.com
     
135. dn: uid=sz,ou=user,dc=promise,dc=com
     
136. uid: sz
     
137. cn: sz
     
138. objectClass: account
     
139. objectClass: posixAccount
     
140. objectClass: top
     
141. objectClass: shadowAccount
     
142. shadowLastChange: 14323
     
143. shadowMax: 99999
     
144. shadowWarning: 7
     
145. loginShell: /bin/bash
     
146. uidNumber: 1005
     
147. gidNumber: 1005
     
148. homeDirectory: /home/sz
     
149. 
     
150. # htc, user, promise.com
     
151. dn: cn=htc,ou=user,dc=promise,dc=com
     
152. cn: htc
     
153. sn: htc
     
154. objectClass: person
     
155. objectClass: inetOrgPerson
     
156. givenName: htc
     
157. mail: szy8706@yeah.net
     
158. telephoneNumber: 13302903040
     
159. title: Employee
     
160. 
     
161. # promise, user, promise.com
     
162. dn: uid=promise,ou=user,dc=promise,dc=com
     
163. uid: promise
     
164. cn: promise
     
165. objectClass: account
     
166. objectClass: posixAccount
     
167. objectClass: top
     
168. objectClass: shadowAccount
     
169. shadowLastChange: 14323
     
170. shadowMax: 99999
     
171. shadowWarning: 7
     
172. loginShell: /bin/bash
     
173. uidNumber: 1005
     
174. gidNumber: 1005
     
175. homeDirectory: /home/promise
     
176. 
     
177. # leaf jack, promise.com, extmailAccount, promise.com
     
178. dn: cn=leaf jack,virtualDomain=promise.com,ou=extmailAccount,dc=promise,dc=com
     
179. cn: leaf jack
     
180. mail: jack@promise.com
     
181. givenName: leaf
     
182. sn: jack
     
183. objectClass: inetOrgPerson
     
184. objectClass: top
     
185. uid: jack
     
186. 
     
187. # search result
     
188. search: 2
     
189. result: 0 Success
     
190. 
     
191. # numResponses: 16
     
192. # numEntries: 15
     
193. [root@webmail ~]#

复制代码

ID 查看OPENLDAP服务器里面的用户信息

1. [root@webmail ~]# id sam
   
2. uid=1005(sam) gid=1005 groups=1005
   
3. 
   
4. [root@webmail ~]# id jack
   
5. id: jack: No such user
   

复制代码

这里查Jack用户信息不到，应该是没有给UidNumber和GidNumber号

上面这些信息都是EMOS服务器上查看OPENLDAP服务器上的信息

下面帖出EMOS的INIT.LDIF的信息（有修改，并成功导入）

1. [root@localhost data]# cat init.ldif
   
2. dn: dc=promise,dc=com
   
3. dc: promise
   
4. objectClass: dcObject
   
5. objectClass: organizationalUnit
   
6. ou: promise Dot com
   
7. 
   
8. dn: cn=Manager,dc=promise,dc=com
   
9. objectClass: top
   
10. objectClass: organizationalRole
    
11. cn: Manager
    
12. 
    
13. dn: ou=extmailAccount,dc=promise,dc=com
    
14. objectClass: organizationalUnit
    
15. ou: extmailAccount
    
16. 
    
17. dn: ou=extmailAlias,dc=promise,dc=com
    
18. objectClass: organizationalUnit
    
19. ou: extmailAlias
    
20. 
    
21. dn: ou=extmailManager,dc=promise,dc=com
    
22. objectClass: organizationalUnit
    
23. ou: extmailManager
    
24. 
    
25. dn: virtualDomain=promise.com, ou=extmailAccount, dc=promise, dc=com
    
26. virtualDomain: promise.com
    
27. description: A virtualDomain for promise.com
    
28. hashDirPath: A0/B0
    
29. Transport: virtual:
    
30. domainMaxQuota: 1073741824
    
31. domainMaxUsers: 50
    
32. domainMaxAlias: 50
    
33. domainMaxNetStore: 1073741824
    
34. defaultQuota: 5242880
    
35. defaultNetStore: 5242880
    
36. defaultExpire: 1y
    
37. disablesmtpd: 0
    
38. disablesmtp: 0
    
39. disablewebmail: 0
    
40. disablenetdisk: 0
    
41. disableimap: 1
    
42. disablepop3: 0
    
43. active: 1
    
44. expireDate: 2015-10-01
    
45. createDate: 2007-02-14 13:47:56
    
46. objectclass: top
    
47. objectclass: extmailDomain
    
48. 
    
49. dn: mail=postmaster@promise.com, virtualDomain=promise.com, ou=extmailAccount, dc=promise, dc=com
    
50. cn: Test user
    
51. uid: test
    
52. mail: postmaster@promise.com
    
53. virtualDomain: promise.com
    
54. mailMessageStore: promise.com/postmaster/Maildir/
    
55. homeDirectory: promise.com/postmaster
    
56. userName: postmaster@promise.com
    
57. mailQuota: 104857600S
    
58. netdiskQuota: 52428800S
    
59. uidNumber: 1000
    
60. gidNumber: 1000
    
61. userPassword: {CRYPT}$1$phz1mRrj$3ok6BjeaoJYWDBsEPZb5C0
    
62. active: 1
    
63. disablesmtpd: 0
    
64. disablesmtp: 0
    
65. disablewebmail: 0
    
66. disablenetdisk: 0
    
67. disableimap: 0
    
68. disablepop3: 0
    
69. expireDate: 2015-10-01
    
70. createDate: 2007-02-14 17:56:33
    
71. objectClass: top
    
72. objectClass: uidObject
    
73. objectClass: extmailUser
    
74. 
    
75. dn: mailLocalAddress=support@promise.com, ou=extmailAlias, dc=promise, dc=com
    
76. mailLocalAddress: support@promise.com
    
77. virtualDomain: promise.com
    
78. mail: postmaster@promise.com
    
79. active: 1
    
80. objectclass: extmailAlias
    
81. 
    
82. dn: mail=root@promise.com, ou=extmailManager, dc=promise, dc=com
    
83. cn: root
    
84. uid: root
    
85. mail: root@promise.com
    
86. userPassword: {CRYPT}$1$BrT9qxfB$Ha81Mb5YVV6rNKNN5jmtj1
    
87. managerType: admin
    
88. active: 1
    
89. question: who are you?
    
90. answer: postmaster
    
91. disablePasswdChange: 0
    
92. createDate: 2007-02-14 18:32:14
    
93. expireDate: 2015-08-01
    
94. objectclass: top
    
95. objectclass: extmailManager
    
96. [root@localhost data]#
    

复制代码

下面贴出OPENLDAP的SLAPD.CONF

1. [root@localhost openldap]# cat slapd.conf
   
2. #
   
3. # See slapd.conf(5) for details on configuration options.
   
4. # This file should NOT be world readable.
   
5. #
   
6. 
   
7. include         /etc/openldap/schema/corba.schema
   
8. include         /etc/openldap/schema/core.schema
   
9. include         /etc/openldap/schema/cosine.schema
   
10. include         /etc/openldap/schema/duaconf.schema
    
11. include         /etc/openldap/schema/dyngroup.schema
    
12. include         /etc/openldap/schema/inetorgperson.schema
    
13. include         /etc/openldap/schema/java.schema
    
14. include         /etc/openldap/schema/misc.schema
    
15. include         /etc/openldap/schema/nis.schema
    
16. include         /etc/openldap/schema/openldap.schema
    
17. include         /etc/openldap/schema/ppolicy.schema
    
18. include         /etc/openldap/schema/collective.schema
    
19. include         /etc/openldap/schema/samba.schema
    
20. include         /etc/openldap/schema/extmail.schema
    
21. 
    
22. # Allow LDAPv2 client connections.  This is NOT the default.
    
23. allow bind_v2
    
24. 
    
25. # Do not enable referrals until AFTER you have a working directory
    
26. # service AND an understanding of referrals.
    
27. #referral       ldap://root.openldap.org
    
28. 
    
29. pidfile         /var/run/openldap/slapd.pid
    
30. argsfile        /var/run/openldap/slapd.args
    
31. 
    
32. # Load dynamic backend modules
    
33. # - modulepath is architecture dependent value (32/64-bit system)
    
34. # - back_sql.la overlay requires openldap-server-sql package
    
35. # - dyngroup.la and dynlist.la cannot be used at the same time
    
36. 
    
37. # modulepath /usr/lib/openldap
    
38. # modulepath /usr/lib64/openldap
    
39. 
    
40. # moduleload accesslog.la
    
41. # moduleload auditlog.la
    
42. # moduleload back_sql.la
    
43. # moduleload chain.la
    
44. # moduleload collect.la
    
45. # moduleload constraint.la
    
46. # moduleload dds.la
    
47. # moduleload deref.la
    
48. # moduleload dyngroup.la
    
49. # moduleload dynlist.la
    
50. # moduleload memberof.la
    
51. # moduleload pbind.la
    
52. # moduleload pcache.la
    
53. # moduleload ppolicy.la
    
54. # moduleload refint.la
    
55. # moduleload retcode.la
    
56. # moduleload rwm.la
    
57. # moduleload seqmod.la
    
58. # moduleload smbk5pwd.la
    
59. # moduleload sssvlv.la
    
60. # moduleload syncprov.la
    
61. # moduleload translucent.la
    
62. # moduleload unique.la
    
63. # moduleload valsort.la
    
64. 
    
65. # The next three lines allow use of TLS for encrypting connections using a
    
66. # dummy test certificate which you can generate by changing to
    
67. # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
    
68. # slapd.pem so that the ldap user or group can read it.  Your client software
    
69. # may balk at self-signed certificates, however.
    
70. TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    
71. TLSCertificateFile /etc/pki/tls/certs/slapd.pem
    
72. TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
    
73. 
    
74. # Sample security restrictions
    
75. #       Require integrity protection (prevent hijacking)
    
76. #       Require 112-bit (3DES or better) encryption for updates
    
77. #       Require 63-bit encryption for simple bind
    
78. # security ssf=1 update_ssf=112 simple_bind=64
    
79. 
    
80. # Sample access control policy:
    
81. #       Root DSE: allow anyone to read it
    
82. #       Subschema (sub)entry DSE: allow anyone to read it
    
83. #       Other DSEs:
    
84. #               Allow self write access
    
85. #               Allow authenticated users read access
    
86. #               Allow anonymous users to authenticate
    
87. #       Directives needed to implement policy:
    
88. access to dn.base="" by * read
    
89. access to dn.base="cn=Subschema" by * read
    
90. access to *
    
91.         by self write
    
92.         by users read
    
93.         by anonymous auth
    
94.         by anonymous read
    
95.         by * none
    
96. #
    
97. # if no access controls are present, the default policy
    
98. # allows anyone and everyone to read anything but restricts
    
99. # updates to rootdn.  (e.g., "access to * by * read")
    
100. #
     
101. # rootdn can always read and write EVERYTHING!
     
102. ###acces control policy
     
103. #access to dn.subtree="dc=promise,dc=com" attrs=uid,userPassword
     
104. #    by self write
     
105. #    by dn="uid=promise,ou=user,dc=promise,dc=com" write
     
106. #    by anonymous auth
     
107. #    by * none
     
108. #
     
109. #access to dn.children="ou=user,dc=promise,dc=com" attrs=cn,givenName,sn,displayName,mail,mobile,homePhone,homePostalAddress,telephoneNumber
     
110. #    by self write
     
111. #    by dn="uid=promise,ou=user,dc=promise,dc=com" write
     
112. #    by * read
     
113. #
     
114. #access to dn.subtree="ou=user,dc=promise,dc=com"
     
115. #    by dn="uid=promise,ou=user,dc=promise,dc=com" write
     
116. #    by * read
     
117. #
     
118. #access to * by * read
     
119. 
     
120. access to attrs=userPassword
     
121.        by self write
     
122.        by anonymous auth
     
123.        by dn.base="cn=manager,dc=promise,dc=com" write
     
124.        by  * none
     
125. 
     
126. access to *
     
127.        by self write
     
128.        by users read
     
129.        by anonymous peername.IP=192.168.41.151 read
     
130.        by anonymous peername.IP=192.168.41.0%255.255.255.0 read
     
131.        by dn.base="cn=manager,dc=promise,dc=com" write
     
132.        by * none
     
133. 
     
134. # enable on-the-fly configuration (cn=config)
     
135. database config
     
136. access to *
     
137.         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
     
138.         by * none
     
139. 
     
140. # enable server status monitoring (cn=monitor)
     
141. database monitor
     
142. access to *
     
143.         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
     
144.         by dn.exact="cn=Manager,dc=promise,dc=com" read
     
145.         by * none
     
146. 
     
147. #######################################################################
     
148. # database definitions
     
149. #######################################################################
     
150. #database ldap
     
151. #suffix "cn=users,dc=promise,dc=com"
     
152. #subordinate
     
153. #rebind-as-user
     
154. #uri "ldap://192.168.41.152"
     
155. #chase-referrals yes
     
156. 
     
157. database        bdb
     
158. suffix          "dc=promise,dc=com"
     
159. checkpoint      1024 15
     
160. rootdn          "cn=Manager,dc=promise,dc=com"
     
161. # Cleartext passwords, especially for the rootdn, should
     
162. # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
     
163. # Use of strong authentication encouraged.
     
164. # rootpw                secret
     
165. # rootpw                {crypt}ijFYNcSNctBYg
     
166. rootpw {SSHA}dD++dnOtPyETTpz9+Xh5EtetL87IIM/F
     
167. 
     
168. # The database directory MUST exist prior to running slapd AND
     
169. # should only be accessible by the slapd and slap tools.
     
170. # Mode 700 recommended.
     
171. directory       /var/lib/ldap
     
172. 
     
173. # Indices to maintain for this database
     
174. #index objectClass                       eq,pres
     
175. #index ou,cn,mail,surname,givenname      eq,pres,sub
     
176. #index uidNumber,gidNumber,loginShell    eq,pres
     
177. #index uid,memberUid                     eq,pres,sub
     
178. #index nisMapName,nisMapEntry            eq,pres,sub
     
179. Index cn,sn,uid,displayName pres,sub,eq
     
180. Index uidNumber,gidNumber eq
     
181. Index sambaSID eq
     
182. Index sambaPrimaryGroupSID eq
     
183. Index sambaDomainName eq
     
184. Index objectClass pres,eq
     
185. Index default sub
     
186. 
     
187. 
     
188. 
     
189. # Replicas of this database
     
190. #replogfile /var/lib/ldap/openldap-master-replog
     
191. #replica host=ldap-1.example.com:389 starttls=critical
     
192. #     bindmethod=sasl saslmech=GSSAPI
     
193. #     authcId=host/ldap-master.example.com@EXAMPLE.COM
     
194. [root@localhost openldap]#
     

复制代码

贴出EMOS的LDAP.CONF信息

1. [root@webmail ~]# cat /etc/openldap/ldap.conf
   
2. #
   
3. # LDAP Defaults
   
4. #
   
5. 
   
6. # See ldap.conf(5) for details
   
7. # This file should be world readable but not world writable.
   
8. 
   
9. #BASE   dc=example, dc=com
   
10. #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
    
11. 
    
12. #SIZELIMIT      12
    
13. #TIMELIMIT      15
    
14. #DEREF          never
    
15. URI ldap://192.168.41.151
    
16. BASE dc=promise,dc=com
    
17. TLS_CACERTDIR /etc/openldap/cacerts
    
18. ssl start_tls
    
19. tls_checkpeer yes
    
20. tls_cacertfile /etc/openldap/cacerts/cacert.pem
    
21. pam_password md5
    
22. [root@webmail ~]#

复制代码

现在就是OPENLDAP的用户无法在EMOS里面验证登录，