RSS feed

Re: nslcd with sshd question

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd with sshd question

Thank you for your response. Yes, nsswitch.conf actually includes the "ldap" entry, it looks like this:

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns ldap
networks:       files ldap
protocols:      files ldap
services:       files ldap
ethers:         files ldap
rpc:            files ldap
netmask:        files ldap
netgroup:       files ldap
bootparams:     files ldap
automount:      files ldap
aliases:        files ldap

The LDAP server is reachable, and the password works, because I am able to test the LDAP user with ldapsearch successfully.

At this point, there should be something wrong with ssh specifically I suppose.
Note that I am trying to authenticate without PAM, because I thought nslcd would be able to lookup through local users as well as remote ldap users, or am I wrong? Perhaps the pam_ldap module is mandatory in this case?


Il 04/01/2022 08:51, William MacAllister ha scritto:
On Mon, Jan 3, 2022 at 2:10 AM Andrea Sighinolfi <andrea.sighinolfi [at]> wrote:

Now, my goal is to use sshd server to authenticate with the ldap user. From an external PC, when I run:

ssh ldapUser@[device_ip_address],

the password check always fails. The syslog give the following error:

nslcd[139]: [e8944a] <passwd="ldapUser"> (re)loading /etc/nsswitch.conf
00:04:40 sshd[150]: Failed password for ldapUser from port 37128 ssh2

From this log, I suppose nslcd is searching for the user in passwd users, but the ldap user will never been found there because passwd contains only local users, not remote ldap users. I suppose this is the reason why the ssh authentication fails. Why nslcd is not looking in ldap when trying to authenticate with ssh?

On some systems I manage nsswitch.conf with chef and on others I do it manually.  My most common error on the manual systems is to forget to update nssswitch.conf to include LDAP lookups.  I would expect you to have entries in nsswitch.conf like:

  passwd:         ldap files systemd
  group:          ldap files systemd
That specifies an ldap search will be performed first, then files, and then systemd.  To make sure I have basic functionality I test with getent. For example, "getent passwd someuid" for an LDAP user should return the user's posixAccount attributes.

Once getent returns what you expect and if you are still having problems make sure that the password actually works using either ldapsearch or ldapwhoami.  For example, "ldapwhoami -h ldaphost -D uid=userid,dc=domain,dc=toplevel -W".

Of course, when working through problems like this it is helpful to look at the LDAP server log.

Hope that helps,



Ing. Andrea Sighinolfi


Via Cadorna, 73
20055 Vimodrone (MI) - ITALY

Phone +39.02.2507121
Mobile +39.xxxxxxxxx

Email:  andrea.sighinolfi [at]


IT: Questo messaggio viene inviato in osservanza al Reg. UE 2016/679. Le ricordiamo che in qualunque momento potrà esercitare i diritti ivi previsti, tra i quali il diritto di conoscere e/o accedere ai dati personali, chiederne la rettifica e l’aggiornamento, chiederne la cancellazione qualora la raccolta sia avvenuta in violazione di legge o regolamento, nonché il diritto di opporsi al trattamento per motivi legittimi e specifici. Potrà inoltre chiedere la trasformazione in forma anonima dei dati personali ed il blocco dell’uso degli stessi ai fini di invio di materiale pubblicitario o vendita diretta o per il compimento di ricerche di mercato o comunicazione commerciale. Per esercitare tali diritti, contattare il titolare del trattamento dei dati: S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at] EN: This message is sent in compliance with EU Reg. 2016/679. We remind you that at any time you can exercise your rights therein, including the right to know and/or access personal data, to request their rectification and updating, to request their cancellation if the collection occurred in violation of the law or regulation , as well as the right to oppose the processing for legitimate and specific reasons. You may also request the transformation of personal data into anonymous form and the blocking of sending advertising material or direct sales or for carrying out market research or commercial communication. To exercise these rights, contact S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at]