Ssh – LDAP users can’t ssh – Valuable Tech Notes

When I ssh to my CentOS 6 server with root account, everything is working fine. But when I try with an LDAP user, I get permission denied.

I tried logging in with root, and then su to a LDAP user, to see if the user even exists and it does. The su seems working fine and I end up in the LDAP users home dir, so the home dir id there too. I figured it must be something to do with ssh, so i looked in /var/log/secure:

Feb 11 10:49:46 centosy sshd[1157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal  user=tomas
Feb 11 10:49:46 centosy sshd[1157]: pam_ldap: ldap_search_s No such object
Feb 11 10:49:47 centosy sshd[1157]: Failed password for tomas from 172.16.0.179 port 47961 ssh2
Feb 11 10:50:16 centosy sshd[1158]: Connection closed by 172.16.0.179
Feb 11 10:50:31 centosy sshd[1159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harbinger.mosek.zentyal  user=tomas
Feb 11 10:50:31 centosy sshd[1159]: pam_ldap: ldap_search_s No such object

From what I can see, it says that the user doesn't exist in the LDAP tree, which is not true at all. When I getent passwd with root, I can see LDAP user tomas with no problem, and I can su to the user just fine. What is the real problem?

To show that the centos client has no problem finding the user in the LDAP tree:

# ldapsearch -D "uid=tomas,ou=Users,dc=mosek,dc=zentyal" -Z -LLL  -W  uid=tomas
ldap_start_tls: Protocol error (2)
    additional info: unsupported extended operation
Enter LDAP Password: 
dn: uid=tomas,ou=Users,dc=mosek,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: systemQuotas
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: shadowAccount
objectClass: zentyalSambaLink
uid: tomas
loginShell: /bin/bash
gidNumber: 1901
homeDirectory: /home/tomas
krb5PrincipalName: tomas@MOSEK.ZENTYAL
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
uidNumber: 3000044
msdsObjectGUID: 649ff009-ad48-41d5-abf8-2dafcd91024c
krb5KeyVersionNumber: 1
quota: 0
mail:
cn: Tomas Nielsen
givenName: Tomas
....

And here is my nslcd.conf:

 uri ldap://172.16.0.5:390/

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name of the search base.
base dc=mosek,dc=zentyal

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=zentyalro,dc=mosek,dc=zentyal

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw secretPassword

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
scope sub
#scope one
#scope base

# Customize certain database lookups.
base   group  ou=Groups,dc=mosek,dc=zentyal
base   passwd ou=Users,dc=mosek,dc=zentyal
base   shadow ou=Users,dc=mosek,dc=zentyal

uid nslcd
gid ldap

ssl no
tls_cacertdir /etc/openldap/cacerts

so I tried running nslcd in debug mode and got this:

# nslcd -d
nslcd: DEBUG: add_uri(ldap://172.16.0.5:390)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_group_bymember(tomas)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=Groups,dc=mosek,dc=zentyal", filter="(&(objectClass=posixGroup)(|(memberUid=tomas)(uniqueMember=uid=tomas,ou=Users,dc=mosek,dc=zentyal)))")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [3c9869] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [3c9869] DEBUG: ldap_result(): end of results
nslcd: [334873] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [334873] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [334873] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [334873] DEBUG: ldap_result(): end of results
nslcd: [b0dc51] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_shadow_byname(tomas)
nslcd: [b0dc51] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=shadowAccount)(uid=tomas))")
nslcd: [b0dc51] DEBUG: ldap_initialize(ldap://172.16.0.5:390)
nslcd: [b0dc51] DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_simple_bind_s("cn=zentyalro,dc=mosek,dc=zentyal","***") (uri="ldap://172.16.0.5:390")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
nslcd: [495cff] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [495cff] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [495cff] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [495cff] DEBUG: ldap_result(): end of results
nslcd: [e8944a] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [e8944a] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [e8944a] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [e8944a] DEBUG: ldap_result(): end of results
nslcd: [5558ec] DEBUG: connection from pid=1152 uid=0 gid=0
nslcd: [5558ec] DEBUG: nslcd_passwd_byname(tomas)
nslcd: [5558ec] DEBUG: myldap_search(base="ou=Users,dc=mosek,dc=zentyal", filter="(&(objectClass=posixAccount)(uid=tomas))")
nslcd: [5558ec] DEBUG: ldap_result(): end of results

I just can't understand what it says

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Ssh – LDAP users can’t ssh

Best Answer

Related Topic

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

SSH – Bad Owner or Permissions on ~/.ssh/config

Related Topic