1

What configuration errors would lead to the situation where ldapsearch works and getent works, but authentication seems to fail sometimes during SSH login?

I have two servers that query a third server for LDAP authentication. All servers are running Ubuntu 18.04.

The LDAP server (running OpenLDAP / slapd) uses a self-signed certificate and both client servers have "TLS_REQCERT allow" in /etc/ldap/ldap.conf . Both client servers can also successfully use ldapsearch over ldaps to query for users. On both client servers, I can run getent passwd and get the expected results.

However, on one server, when I log in via ssh, I experience a consistent delay (about thirty seconds). /var/log/auth.log from that server includes these lines:

pam_systemd(sshd:session): Failed to create session: Connection timed out  
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldaps://[IP address] after 1 attempt
systemd-logind: nss_ldap: could not connect to any LDAP server as [...] - Can't contact LDAP server
systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server

As far as know, all relevant pieces of the configuration for the two client servers are the same as each other's.

I have tried:

sudo systemctl restart systemd-logind
sudo systemctl restart polkit

sudo journalctl -u systemd-logind shows:

nss_ldap: could not connect to any LDAP server as [...] - Can't contact 
nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...

On the client side of SSH, I see what's outlined here: ssh connection takes forever to initiate, stuck at "pledge: network"

Jenny D
  • 27,358
  • 21
  • 74
  • 110
Jerry
  • 11
  • 1
  • 2

3 Answers3

3

It turns out that "apt install libnss-ldapd" seems to fix the problem, which removes libnss-ldap and installs nscd and nslcd.

Jerry
  • 31
  • 1
0

I'm unsure what worked for me:

apt install libnss-ldapd
service nscd stop

or changing from ldapi:// to ldap://

My REHL7 server (running openladp) is configured for ldapi:// and it has RHEL7 clients connecting through ldapi://

I couldn't get the Debian 11 instance to use ldapi:// though.

EDIT: Using ldap:// instead of ldapi:// worked for me.

  • Ran another VM to test. Did not install libnss-ldapd but DID use ldap:// instead of ldapi://. It worked without any issues. – Nathan Wilson Nov 28 '21 at 06:32
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 02 '21 at 18:24
-1
apt install libnss-ldapd
systemctl restart systemd-logind

fixed it for me