Re: nslcd with sshd question

[William MacAllister <whm [at] dropbox.com>]

On Mon, Jan 3, 2022 at 2:10 AM Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it> wrote:

Now, my goal is to use sshd server to authenticate with the ldap user. From an external PC, when I run:

ssh ldapUser@[device_ip_address],

the password check always fails. The syslog give the following error:

nslcd[139]: [e8944a] <passwd="ldapUser"> (re)loading /etc/nsswitch.conf
00:04:40 sshd[150]: Failed password for ldapUser from 192.168.8.240 port 37128 ssh2

From this log, I suppose nslcd is searching for the user in passwd users, but the ldap user will never been found there because passwd contains only local users, not remote ldap users. I suppose this is the reason why the ssh authentication fails. Why nslcd is not looking in ldap when trying to authenticate with ssh?

On some systems I manage nsswitch.conf with chef and on others I do it manually.  My most common error on the manual systems is to forget to update nssswitch.conf to include LDAP lookups.  I would expect you to have entries in nsswitch.conf like:

  passwd:         ldap files systemd
  group:          ldap files systemd

 

That specifies an ldap search will be performed first, then files, and then systemd.  To make sure I have basic functionality I test with getent. For example, "getent passwd someuid" for an LDAP user should return the user's posixAccount attributes.

Once getent returns what you expect and if you are still having problems make sure that the password actually works using either ldapsearch or ldapwhoami.  For example, "ldapwhoami -h ldaphost -D uid=userid,dc=domain,dc=toplevel -W".

Of course, when working through problems like this it is helpful to look at the LDAP server log.

Hope that helps,

Bill