What configuration errors would lead to the situation where ldapsearch works and getent works, but authentication seems to fail sometimes during SSH login?
I have two servers that query a third server for LDAP authentication. All servers are running Ubuntu 18.04.
The LDAP server (running OpenLDAP / slapd) uses a self-signed certificate and both client servers have "TLS_REQCERT allow" in /etc/ldap/ldap.conf .
Both client servers can also successfully use ldapsearch over ldaps to query for users. On both client servers, I can run getent passwd and get the expected results.
However, on one server, when I log in via ssh, I experience a consistent delay (about thirty seconds). /var/log/auth.log from that server includes these lines:
pam_systemd(sshd:session): Failed to create session: Connection timed out
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldaps://[IP address] after 1 attempt
systemd-logind: nss_ldap: could not connect to any LDAP server as [...] - Can't contact LDAP server
systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server
As far as know, all relevant pieces of the configuration for the two client servers are the same as each other's.
I have tried:
sudo systemctl restart systemd-logind
sudo systemctl restart polkit
sudo journalctl -u systemd-logind shows:
nss_ldap: could not connect to any LDAP server as [...] - Can't contact
nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
On the client side of SSH, I see what's outlined here: ssh connection takes forever to initiate, stuck at "pledge: network"
Best Answer
It turns out that "apt install libnss-ldapd" seems to fix the problem, which removes libnss-ldap and installs nscd and nslcd.