Sshd pam_ldap: ldap_simple_bind Can’t contact LDAP server

ldappamssh

Seen lots of similar post regarding my issue but none so far have really contributed to resolving the matter.

I have a bunch of old RHEL 5.5 servers which I need to authenticate against an LDAP instance (OpenDJ).

I can perform a manual ldapsearch which works fine:

# /usr/bin/ldapsearch -D cn=#####,ou=users,dc=######,dc=com -w ###### -LLLx -H ldaps://lhcsrvprddir02.#######.com:1636 -b dc=#######,dc=com cn=####
dn: cn=####,ou=users,dc=##########,dc=com
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: posixAccount
uid: *****
employeeType: *****
uidNumber: *****
gecos: ********
mail: ******.com
homeDirectory: *******
gidNumber: ******
cn: *****
sn: *****
loginShell: /bin/lbash
userPassword:***************

My LDAP server confirms a sucessfull connection/bind and doesn't seem to complain about about certificate based issues etc.

[26/Jul/2017:10:06:29 +0100] CONNECT conn=2140 from=10.20.82.8:60136 to=10.20.231.4:1636 protocol=LDAPS
[26/Jul/2017:10:06:29 +0100] BIND REQ conn=2140 op=0 msgID=1 version=3 type=SIMPLE dn="cn=###,ou=users,dc=#######,dc=com"
[26/Jul/2017:10:06:29 +0100] BIND RES conn=2140 op=0 msgID=1 result=0 authDN="cn=####,ou=users,dc=#######,dc=com" etime=0
[26/Jul/2017:10:06:29 +0100] SEARCH REQ conn=2140 op=1 msgID=2 base="dc=######,dc=com" scope=sub filter="(cn=####)" attrs="ALL"
[26/Jul/2017:10:06:29 +0100] SEARCH RES conn=2140 op=1 msgID=2 result=0 nentries=1 etime=0
[26/Jul/2017:10:06:29 +0100] UNBIND REQ conn=2140 op=2 msgID=3
[26/Jul/2017:10:06:29 +0100] DISCONNECT conn=2140 reason="Client Unbind"

However when I connect via SSH, I see the following in the /var/log/secure file

sshd[8275]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Here is what I currently have in /etc/ldap.conf:

uri ldaps://lhcsrvprddir02.######.com
port 1636
base dc=######,dc=com
ldap_version 3
binddn cn=######,ou=service,ou=users,dc=######,dc=com
bindpw ###############
scope sub
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_lookup_policy yes
pam_password md5
nss_base_passwd ou=users,dc=######,dc=com?sub
nss_base_shadow ou=users,dc=######,dc=com?sub
nss_base_group ou=groups,dc=######,dc=com?sub
nss_base_netgroup ou=netgroup,dc=######,dc=com?sub
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/certs
tls_reqcert never
sudoers_base ou=sudoers,dc=#######,dc=com

And my /etc/openldap/ldap.conf file:

URI ldaps://lhcsrvprddir02.######.com
BASE dc=######,dc=com
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT NEVER

I tried several combinations with /etc/pam.d/system-auth-ac to no avail. Here's what I currently have:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 difok=1 minlen=11
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Prior to all this, I ran:

# authconfig --enableldap --enableldapauth --enableldaptls --disablenis --enablemkhomedir --updateall

Best Answer

Spent a full day trying to figure out pretty much the same thing on ubuntu.

  1. "libnss-ldap" and "libpam-ldap" don't seem to work well with TLS. I bumped into this in some forum (can't link right now, but also has been seen on SO). use "libnss-ldapd" "libpam-ldapd"

  2. You have to have both -d versions. I installed libnss-ldapd, but with libpam-ldap (without "-d"). Configuration is in /etc/nslcd.conf, mostly dupe of /etc/ldap.conf. Without correct libpam-ldapd I would populate passwd successfully using "getent passwd", but ssh login with LDAP user would throw

    Jan 06 23:51:17 server sshd[11375]: pam_ldap: ldap_simple_bind Can't contact LDAP server Jan 06 23:51:17 server sshd[11375]: pam_ldap: reconnecting to LDAP server... Jan 06 23:51:17 server sshd[11375]: pam_ldap: ldap_simple_bind Can't contact LDAP server

  3. installing libpam-ldapd fixed this, then it was just appropriating /etc/nslcd.conf to my needs (search queries, certs, etc)

Related Topic