LDAP connection seems to keep failing

Question

What configuration errors would lead to the situation where ldapsearch works and getent works, but authentication seems to fail sometimes during SSH login?

I have two servers that query a third server for LDAP authentication. All servers are running Ubuntu 18.04.

The LDAP server (running OpenLDAP / slapd) uses a self-signed certificate and both client servers have "TLS_REQCERT allow" in /etc/ldap/ldap.conf . Both client servers can also successfully use ldapsearch over ldaps to query for users. On both client servers, I can run getent passwd and get the expected results.

However, on one server, when I log in via ssh, I experience a consistent delay (about thirty seconds). /var/log/auth.log from that server includes these lines:

pam_systemd(sshd:session): Failed to create session: Connection timed out  
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldaps://[IP address] after 1 attempt
systemd-logind: nss_ldap: could not connect to any LDAP server as [...] - Can't contact LDAP server
systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server

As far as know, all relevant pieces of the configuration for the two client servers are the same as each other's.

I have tried:

sudo systemctl restart systemd-logind
sudo systemctl restart polkit

sudo journalctl -u systemd-logind shows:

nss_ldap: could not connect to any LDAP server as [...] - Can't contact 
nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...

On the client side of SSH, I see what's outlined here: ssh connection takes forever to initiate, stuck at "pledge: network"

Jerry's fix works. Follow debian documentation : https://wiki.debian.org/fr/LDAP/NSS — aAa emkill, Jan 07 '20 at 19:26

score 3 · Answer 1 · answered Jan 09 '19 at 20:14

3

It turns out that "apt install libnss-ldapd" seems to fix the problem, which removes libnss-ldap and installs nscd and nslcd.

answered Jan 09 '19 at 20:14

Jerry

31
1

Nathan Wilson · Answer 2 · 2021-11-28T06:33:09.860

0

I'm unsure what worked for me:

apt install libnss-ldapd
service nscd stop

or changing from ldapi:// to ldap://

My REHL7 server (running openladp) is configured for ldapi:// and it has RHEL7 clients connecting through ldapi://

I couldn't get the Debian 11 instance to use ldapi:// though.

EDIT: Using ldap:// instead of ldapi:// worked for me.

edited Nov 28 '21 at 06:33

answered Nov 28 '21 at 06:05

Nathan Wilson

3
3

Ran another VM to test. Did not install libnss-ldapd but DID use ldap:// instead of ldapi://. It worked without any issues. – Nathan Wilson Nov 28 '21 at 06:32
Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 02 '21 at 18:24

score -1 · Answer 3 · answered Nov 10 '20 at 17:25

-1

apt install libnss-ldapd
systemctl restart systemd-logind

fixed it for me

answered Nov 10 '20 at 17:25

jeremy mordkoff

1

LDAP connection seems to keep failing

3 Answers3