# [Solved] LDAP Users cannot log in via SSH

## Vogi

Hello,

its the first time I set up a Server an I am quite happy with Gentoo.

But now I am trying for days to make my LDAP System work as I want:

I have added some users to the LDAP Directory an they can all log in local.

The user root is still in the files and not in the LDAP

Now i tried to log in from my Windows PC via Putty. It works fine with root but not with the LDAP users.

When I do an ldapsearch or getent passwd i can see my LDAP users. They can log on directly on the Server an when i am connected as root via ssh i can su to the LDAP users.

In the messages file i get the following entries when trying to connect via SSH:

```

Sep 26 22:07:14 server02 slapd[5953]: conn=42 fd=19 ACCEPT from IP=127.0.0.1:53632 (IP=0.0.0.0:389)

Sep 26 22:07:14 server02 slapd[5954]: conn=42 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" method=128

Sep 26 22:07:14 server02 slapd[5954]: conn=42 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" mech=SIMPLE ssf=0

Sep 26 22:07:14 server02 slapd[5954]: conn=42 op=0 RESULT tag=97 err=0 text=

Sep 26 22:07:14 server02 slapd[6204]: conn=42 op=1 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:14 server02 slapd[6204]: conn=42 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Sep 26 22:07:14 server02 slapd[6204]: conn=42 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5953]: conn=43 fd=20 ACCEPT from IP=127.0.0.1:53633 (IP=0.0.0.0:389)

Sep 26 22:07:16 server02 slapd[5953]: conn=42 fd=19 closed

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" method=128

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" mech=SIMPLE ssf=0

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=0 RESULT tag=97 err=0 text=

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=1 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5954]: conn=43 op=2 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[5954]: conn=43 op=2 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Sep 26 22:07:16 server02 slapd[5954]: conn=43 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[6204]: conn=43 op=3 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6204]: conn=43 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Sep 26 22:07:16 server02 slapd[6204]: conn=43 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=4 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Sep 26 22:07:16 server02 slapd[5955]: conn=43 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=5 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=5 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Sep 26 22:07:16 server02 slapd[6205]: conn=43 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5953]: conn=44 fd=19 ACCEPT from IP=127.0.0.1:53634 (IP=0.0.0.0:389)

Sep 26 22:07:16 server02 slapd[5954]: conn=44 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" method=128

Sep 26 22:07:16 server02 slapd[5954]: conn=44 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" mech=SIMPLE ssf=0

Sep 26 22:07:16 server02 slapd[5954]: conn=44 op=0 RESULT tag=97 err=0 text=

Sep 26 22:07:16 server02 slapd[6204]: conn=44 op=1 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6204]: conn=44 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5953]: conn=44 fd=19 closed

Sep 26 22:07:16 server02 slapd[5953]: conn=43 fd=20 closed

Sep 26 22:07:16 server02 sshd[6239]: Accepted keyboard-interactive/pam for hans from 192.168.6.11 port 1972 ssh2

Sep 26 22:07:16 server02 slapd[5953]: conn=45 fd=19 ACCEPT from IP=127.0.0.1:53635 (IP=0.0.0.0:389)

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" method=128

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=0 BIND dn="cn=Manager,dc=knoeferl,dc=ed" mech=SIMPLE ssf=0

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=0 RESULT tag=97 err=0 text=

Sep 26 22:07:16 server02 slapd[6205]: conn=45 op=1 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6205]: conn=45 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 slapd[5954]: conn=45 op=2 SRCH base="ou=Group,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=hans)(uniqueMember=uid=hans,ou=people,dc=knoeferl,dc=ed)))"

Sep 26 22:07:16 server02 slapd[5954]: conn=45 op=2 SRCH attr=gidNumber

Sep 26 22:07:16 server02 slapd[6204]: conn=45 op=3 SRCH base="ou=Group,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=group,dc=knoeferl,dc=ed))"

Sep 26 22:07:16 server02 slapd[6204]: conn=45 op=3 SRCH attr=gidNumber

Sep 26 22:07:16 server02 slapd[5954]: conn=45 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text=

Sep 26 22:07:16 server02 slapd[6204]: conn=45 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=4 SRCH base="ou=Group,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain users,ou=group,dc=knoeferl,dc=ed))"

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=4 SRCH attr=gidNumber

Sep 26 22:07:16 server02 slapd[5955]: conn=45 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=

Sep 26 22:07:16 server02 slapd[6205]: conn=45 op=5 SRCH base="ou=People,dc=knoeferl,dc=ed" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=hans))"

Sep 26 22:07:16 server02 slapd[6205]: conn=45 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Sep 26 22:07:16 server02 slapd[6205]: conn=45 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=

Sep 26 22:07:16 server02 sshd(pam_unix)[6245]: session opened for user hans by (uid=0)

Sep 26 22:07:16 server02 sshd[6239]: nss_ldap: could not search LDAP server - Can't contact LDAP server

Sep 26 22:07:16 server02 sshd[6239]: fatal: login_get_lastlog: Cannot find account for uid 1001

Sep 26 22:07:16 server02 sshd[6239]: nss_ldap: could not search LDAP server - Can't contact LDAP server

Sep 26 22:07:16 server02 sshd[6239]: fatal: login_init_entry: Cannot find user "hans"

Sep 26 22:07:16 server02 sshd(pam_unix)[6245]: session closed for user hans

Sep 26 22:07:16 server02 slapd[5953]: conn=45 fd=19 closed

```

What is the problem? The LDAP gets queried first an than it cant be contacted?

Here are my config-files:

ldap.conf:

```

base dc=knoeferl,dc=ed

uri ldap://127.0.0.1/

ldap_version 3

rootbinddn cn=Manager,dc=knoeferl,dc=ed

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

pam_password exop

nss_base_passwd ou=People,dc=knoeferl,dc=ed

nss_base_passwd ou=Hosts,dc=knoeferl,dc=ed

nss_base_shadow ou=People,dc=knoeferl,dc=ed

nss_base_group  ou=Group,dc=knoeferl,dc=ed

nss_base_hosts  ou=Hosts,dc=knoeferl,dc=ed

```

secret.conf has just the password in it.

nsswitch.conf

 *Quote:*   

> 
> 
> passwd:      compat ldap
> 
> shadow:      compat ldap
> ...

 

systhem-auth

 *Quote:*   

> 
> 
> #%PAM-1.0
> 
> auth       required	pam_env.so
> ...

 

Can anyone help me?

Thanks in advance,

Vogi.Last edited by Vogi on Wed Sep 28, 2005 7:04 pm; edited 1 time in total

----------

## Redeeman

this is my system-auth pam file:

```

#%PAM-1.0

auth            required        pam_env.so

auth            sufficient      pam_unix.so likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

auth            required        pam_deny.so

account         required        pam_unix.so

account         sufficient      pam_ldap.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        sufficient      pam_unix.so nullok md5 shadow use_authtok

password        sufficient      pam_ldap.so use_authtok

password        required        pam_deny.so

session         required        pam_limits.so

session         required        pam_unix.so

session         optional        pam_ldap.so

```

i have one kinda.. large difference too, the fact that i use anonymous binding in /etc/ldap.conf..

```

ssl start_tls

ssl on

suffix          "dc=KasperSandberg"

uri ldaps://localhost:636

pam_password md5

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

#Real users

nss_base_passwd ou=Real,ou=Users,ou=UsersGroups,o=MainServer,dc=KasperSandberg

nss_base_shadow ou=Real,ou=Users,ou=UsersGroups,o=MainServer,dc=KasperSandberg

nss_base_group  ou=Real,ou=Groups,ou=UsersGroups,o=MainServer,dc=KasperSandberg

scope one
```

however, when doing this, you need a somewhat open slapd.. (the acl)..

this is mine:

```

access to *

        by users read

        by anonymous read

access to attrs=userPassword,gecos,description,loginShell

        by self write

```

i have written a howto for setting up openldap on gentoo.. http://wiki.kaspersandberg.com/doku.php?id=howtos:openldap

i hope it helps.

----------

## Vogi

Thanks for your answer.

I tried your configuration files, but the error still occurs:

```

Sep 27 20:34:28 server02 sshd(pam_unix)[6299]: check pass; user unknown

Sep 27 20:34:28 server02 sshd(pam_unix)[6299]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc01.knoeferl.ed 

Sep 27 20:34:28 server02 sshd[6294]: Accepted keyboard-interactive/pam for hans2 from 192.168.6.11 port 4856 ssh2

Sep 27 20:34:28 server02 sshd(pam_unix)[6300]: session opened for user hans2 by (uid=0)

Sep 27 20:34:28 server02 sshd[6294]: nss_ldap: could not search LDAP server - Can't contact LDAP server

Sep 27 20:34:28 server02 sshd[6294]: fatal: login_get_lastlog: Cannot find account for uid 1003

Sep 27 20:34:28 server02 sshd[6294]: nss_ldap: could not search LDAP server - Can't contact LDAP server

Sep 27 20:34:28 server02 sshd[6294]: fatal: login_init_entry: Cannot find user "hans2"

Sep 27 20:34:28 server02 sshd(pam_unix)[6300]: session closed for user hans2

```

But the strange thing is, that the LDAP users can log in at the machine.

Also vsftp, samba and Mail (cyrus-sasl) work fine.

What is not working:

Login for the LDAP users via ssh (Windows with Putty), local users (root) work fine

Locally logged-in LDAP users cant use "su" to any other user.

```

Sep 27 20:40:21 server02 su[6316]: pam_authenticate: Permission denied

```

Which config files could be wrong? Is there an LDAP entry, which is not correct?

Example user:

```

dn: uid=hans2,ou=People, dc=knoeferl,dc=ed

sambaAcctFlags: [U          ]

mail: xxx@xxx.xx

uid: hans2

sambaLMPassword: BD67A2E0D7DD11C7AAD3B635B51404EE

sambaPwdCanChange: 1127659271

sambaKickoffTime: 2147483647

sambaLogoffTime: 2147483647

objectClass: top

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

objectClass: sambaSamAccount

objectClass: qmailUser

description: System User

sambaProfilePath: \\Server02\profiles\hans2

uidNumber: 1003

sn: XXXXXX

gidNumber: 100

gecos: System User

sambaPwdMustChange: 2147483647

shadowFlag: 0

mailAlternateAddress: XXXXXX

sambaPwdLastSet: 1127659271

shadowMin: 0

userPassword:: e01ENY12cnV4S3lYOXVhMEZPVVdSNXF2QVdRPT0=

sambaLogonScript: logon.bat

sambaLogonTime: 0

shadowWarning: 7

cn: XXXXXX

sambaNTPassword: 5924ABACA7DD9F5968A22g0D18E2B3F0

sambaHomeDrive: H:

homeDirectory: /home/hans2

givenName: XXXXXX

displayName: XXXXXX

shadowInactive: -1

shadowLastChange: 1329

sambaSID: S-1-5-21-3485252595-2662167761-1754894993-3006

sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000

 000000000

sambaPrimaryGroupSID: S-1-5-21-5445252575-2562177461-1754894993-513

shadowMax: 999999

shadowExpire: -1

loginShell: /bin/bash

sambaHomePath: \\Server02\hans2

```

Thanks for any help,

Vogi.

----------

## Redeeman

well the reason people cant su is because they are not member of the wheel group.. the rest i do not know about.

----------

## Vogi

ok thanks.

Then my "only" problem is the ssh access.

Maybe I will find a solution....

Vogi.

----------

## wellwhoopdedooo

I had this problem after an OpenLDAP update. The solution was to just re-emerge nss_ldap.

*edit*

Or maybe it was pam_ldap.

----------

## Vogi

Wow!

Thanks a lot.

An easy "emerge nss_ldap" fixed it.

Dont know what happened, but now everything is running fine...

Greets,

Vogi

----------

## ellingsw

I just thought I would post here to let others know what works to fix the ssh issue.

I use LDAP authentication as well.  I was getting the following error message on one of my machines when anyone listed in LDAP tried to log in:

Oct 12 23:08:24 HOSTNAME sshd[21168]: fatal: login_init_entry: Cannot find user "USERNAME"

-----

"emerge nss_ldap" fixed my issue as well.

----------

## twam

Had the same problem after an update of openssh from 3.9 to 4.2. 

Reemerging nss_ldap helped me as well!

----------

## tecknojunky

Wow!  I had the same problem, and for once, the first post I hit has the exact solution I needed. yay   :Very Happy: 

----------

## smerf

Using (insecure, I know, just an act of desperation) UsePrivilegeSeparation no also helped, no idea why... anyone?

----------

