LDAP connection seems to keep failing

Question

What configuration errors would lead to the situation where ldapsearch works and getent works, but authentication seems to fail sometimes during SSH login?

I have two servers that query a third server for LDAP authentication. All servers are running Ubuntu 18.04.

The LDAP server (running OpenLDAP / slapd) uses a self-signed certificate and both client servers have "TLS_REQCERT allow" in /etc/ldap/ldap.conf . Both client servers can also successfully use ldapsearch over ldaps to query for users. On both client servers, I can run getent passwd and get the expected results.

However, on one server, when I log in via ssh, I experience a consistent delay (about thirty seconds). /var/log/auth.log from that server includes these lines:

pam_systemd(sshd:session): Failed to create session: Connection timed out  
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldaps://[IP address] after 1 attempt
systemd-logind: nss_ldap: could not connect to any LDAP server as [...] - Can't contact LDAP server
systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server

As far as know, all relevant pieces of the configuration for the two client servers are the same as each other's.

I have tried:

sudo systemctl restart systemd-logind
sudo systemctl restart polkit

sudo journalctl -u systemd-logind shows:

nss_ldap: could not connect to any LDAP server as [...] - Can't contact 
nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...

On the client side of SSH, I see what's outlined here: ssh connection takes forever to initiate, stuck at "pledge: network"

Jerry's fix works. Follow debian documentation : https://wiki.debian.org/fr/LDAP/NSS — aAa emkill, Jan 07 '20 at 19:26

score 3 · Answer 1 · answered Jan 09 '19 at 20:14

3

It turns out that "apt install libnss-ldapd" seems to fix the problem, which removes libnss-ldap and installs nscd and nslcd.

answered Jan 09 '19 at 20:14

Jerry

31

Nathan Wilson · Answer 2 · 2021-11-28T06:33:09.860

0

I'm unsure what worked for me:

apt install libnss-ldapd
service nscd stop

or changing from ldapi:// to ldap://

My REHL7 server (running openladp) is configured for ldapi:// and it has RHEL7 clients connecting through ldapi://

I couldn't get the Debian 11 instance to use ldapi:// though.

EDIT: Using ldap:// instead of ldapi:// worked for me.

edited Nov 28 '21 at 06:33

answered Nov 28 '21 at 06:05

Nathan Wilson

3

Ran another VM to test. Did not install libnss-ldapd but DID use ldap:// instead of ldapi://. It worked without any issues. – Nathan Wilson Nov 28 '21 at 06:32
Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Community Dec 02 '21 at 18:24

score -1 · Answer 3 · answered Nov 10 '20 at 17:25

-1

apt install libnss-ldapd
systemctl restart systemd-logind

fixed it for me

answered Nov 10 '20 at 17:25

jeremy mordkoff

1

LDAP connection seems to keep failing

3 Answers3