RSS feed

Re: nslcd with sshd question

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd with sshd question

On Mon, Jan 3, 2022 at 2:10 AM Andrea Sighinolfi <andrea.sighinolfi [at]> wrote:

Now, my goal is to use sshd server to authenticate with the ldap user. From an external PC, when I run:

ssh ldapUser@[device_ip_address],

the password check always fails. The syslog give the following error:

nslcd[139]: [e8944a] <passwd="ldapUser"> (re)loading /etc/nsswitch.conf
00:04:40 sshd[150]: Failed password for ldapUser from port 37128 ssh2

From this log, I suppose nslcd is searching for the user in passwd users, but the ldap user will never been found there because passwd contains only local users, not remote ldap users. I suppose this is the reason why the ssh authentication fails. Why nslcd is not looking in ldap when trying to authenticate with ssh?

On some systems I manage nsswitch.conf with chef and on others I do it manually.  My most common error on the manual systems is to forget to update nssswitch.conf to include LDAP lookups.  I would expect you to have entries in nsswitch.conf like:

  passwd:         ldap files systemd
  group:          ldap files systemd
That specifies an ldap search will be performed first, then files, and then systemd.  To make sure I have basic functionality I test with getent. For example, "getent passwd someuid" for an LDAP user should return the user's posixAccount attributes.

Once getent returns what you expect and if you are still having problems make sure that the password actually works using either ldapsearch or ldapwhoami.  For example, "ldapwhoami -h ldaphost -D uid=userid,dc=domain,dc=toplevel -W".

Of course, when working through problems like this it is helpful to look at the LDAP server log.

Hope that helps,