lists.arthurdejong.org
RSS feed

Issues w/ LDAP & PAM on Ubuntu 22.04

[Date Prev][Date Next] [Thread Prev][Thread Next]

Issues w/ LDAP & PAM on Ubuntu 22.04



Hi,

I tried to Google this error message but all of the results are 10+ years old.

I'm using LDAP (slapd) on a remote Ubuntu server, and my client is configured 
to use nss_ldap and nslcd.

My config look like:

#
# generated file - DO NOT EDIT!
#

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# LDAP servers
uri ldap://h2.netgate.com/

# The distinguished name of the search base
base dc=netgate,dc=com

# The LDAP version to use.
ldap_version 3

# The search scope.
scope sub

# Group to enforce membership of
pam_authz_search 
(&(objectClass=posixAccount)(memberOf=cn=PAM,ou=Groups,dc=netgate,dc=com))

ssl start_tls

tls_reqcert hard
tls_cacertfile /etc/ssl/certs/letsencrypt_ca.pem

# Attributes returned by the server we're overriding
map passwd loginShell "/usr/bin/clixon_cli"
map passwd homeDirectory "/home/guest"


for /etc/nslcd.conf, I've enabled LDAP for PAM via "pam-auth-update --enable 
ldap", and my /etc/nsswitch.conf has:

...
passwd:         files ldap systemd
group:          files ldap systemd
shadow:         files ldap
...

So everything looks in order.  I can login, but I get:

...
Dec 11 10:45:02 tnsr1 ldapsearch: DIGEST-MD5 common mech free
Dec 11 10:45:03 tnsr1 ldapsearch: DIGEST-MD5 common mech free
Dec 11 10:45:05 tnsr1 sshd[95656]: Accepted publickey for pprindeville2 from 
172.21.12.3 port 42294 ssh2: ED25519 
SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
Dec 11 10:45:05 tnsr1 sshd[95656]: pam_unix(sshd:session): session opened for 
user pprindeville2(uid=10003) by (uid=0)
Dec 11 10:45:06 tnsr1 systemd-logind: nss_ldap: reconnecting to LDAP server...
Dec 11 10:45:06 tnsr1 systemd-logind: nss_ldap: reconnecting to LDAP server 
(sleeping 1 seconds)...
Dec 11 10:45:07 tnsr1 systemd-logind: nss_ldap: could not search LDAP server - 
Server is unavailable
Dec 11 10:45:07 tnsr1 sshd[95656]: pam_systemd(sshd:session): Failed to create 
session: No such process
...

I don't get the last 5 lines of messages.

Yes, I'm using a custom sshd AuthorizedKeysCommand command that uses 
ldapsearch.  And /etc/ldap/ldap.conf has been provisioned:

#
# generated file - DO NOT EDIT!
#

# LDAP servers
URI ldap://h2.netgate.com/

# The distinguished name of the search base
BASE dc=netgate,dc=com

# The LDAP version to use.
VERSION 3

TLS_PROTOCOL_MIN 3.3

TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/letsencrypt_ca.pem

But I don't think ldapsearch would spew to /var/log/auth.log and the prefixes 
(tags) don't seem to indicate that.

Am I running into this?

nss-pam-ldapd (0.9.0-1) experimental; urgency=low

    The 0.9 release changes the communication protocol used between the NSS
    and PAM modules on one end and the nslcd process on the other end.

    This means that after the upgrade, if the new nslcd is running, processes
    that have the old NSS or PAM module already loaded will be unable to
    perform queries.

    For example, if a screensaver that was running before the upgrade has
    locked the screen during the upgrade, the user will no longer be able to
    unlock the screen.

 -- Arthur de Jong <adejong@debian.org>  Sat, 06 Apr 2013 15:00:00 +0200

And if so, what can I restart to get them to sync up (without rebooting)?

Thanks,

-Philip