Re: ssh with ldap authentication

[Howard Chu <hyc@symas.com>]

Rodney Simioni wrote:
> Itâs not fixed, itâs a mystery. I just created new accounts this morning and I
> tried to login and it was unsuccessful, but these accounts may work later today.
>
> Itâs just taking a very long time for the accounts to be enabled through ssh
> login with ldap authentication.

There's nothing in OpenLDAP that would do this. Sounds like your pam or nss 
config is flaky, but unless you're using OpenLDAP's nssov, then this has 
nothing to do with OpenLDAP. Most likely you're using nscd.

> *From:*openldap-technical-bounces@OpenLDAP.org
> [mailto:openldap-technical-bounces@OpenLDAP.org] *On Behalf Of *Rodney Simioni
> *Sent:* Wednesday, March 06, 2013 10:47 AM
> *To:* openldap-technical@openldap.org
> *Subject:* RE: ssh with ldap authentication
>
> Something new has just transpired. Before leaving work last night, I created
> 10 accounts and then tried to ssh in. All the logins failed prompting for the
> password.
>
> I came to work this morning, and now all the accounts are able to login
> successfully.
>
> Why is it taking so long for the accounts to work?
>
> *From:*Rodney Simioni
> *Sent:* Tuesday, March 05, 2013 2:17 PM
> *To:* 'openldap-technical@openldap.org'
> *Subject:* ssh with ldap authentication
>
> Hi,
>
> Iâm new to LDAP.  I just created a new user in LDAP and it cannot login
> through ssh. It keeps prompting for the password. Any help will be greatly
> appreciated.
>
> # dude12, people, wh.local
>
> dn: uid=dude12,ou=people,dc=wh,dc=local
>
> uid: dude12
>
> cn: Johnny Appleseed
>
> objectClass: account
>
> objectClass: posixAccount
>
> objectClass: top
>
> objectClass: shadowAccount
>
> userPassword:: e1NTSEF9K2E0YXVTWlYwckMwRUhsVWlNVzBrS2U3MzA1a1JrOVI=
>
> shadowLastChange: 15140
>
> shadowMax: 99999
>
> shadowWarning: 7
>
> uidNumber: 1212
>
> gidNumber: 1212
>
> homeDirectory: /home/dude12
>
> loginShell: /bin/bash
>
> # dude12, group, wh.local
>
> dn: cn=dude12,ou=group,dc=wh,dc=local
>
> objectClass: posixGroup
>
> objectClass: top
>
> cn: dude12
>
> gidNumber: 1212
>
> userPassword:: e0NSWVBUfXg=
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 220
>
> # numEntries: 219
>
> ###############################
>
> When I created the user, the logs indicated.
>
> ###############################
>
> Mar  5 13:53:18 rodster slapd[2678]: =>
> bdb_dn2id("uid=dude12,ou=people,dc=wh,dc=local")
>
> Mar  5 13:53:18 rodster slapd[2678]: <= bdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30988)
>
> Mar  5 13:53:18 rodster slapd[2678]: => bdb_dn2id_add 0x628:
> "uid=dude12,ou=people,dc=wh,dc=local"
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628
> %ou=people,dc=wh,dc=local
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628
> @ou=people,dc=wh,dc=local
>
> Mar  5 13:53:18 rodster slapd[2678]: <= bdb_dn2id_add 0x628: 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => index_entry_add( 1576,
> "uid=dude12,ou=people,dc=wh,dc=local" )
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [7c477315]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [1fd53424]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [02537054]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [53430dd1]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [5aef1f7f]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [acefc46f]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [caca4579]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [c37ad51a]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [9b3bdeb2]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [39ebd2f9]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:53:18 rodster slapd[2678]: bdb_idl_insert_key: 628 [d7851707]
>
> Mar  5 13:53:18 rodster slapd[2678]: <= key_change 0
>
> Mar  5 13:53:18 rodster slapd[2678]: => key_change(ADD,628)
>
> Mar  5 13:54:51 rodster slapd[2678]: connection_get(24)
>
> Mar  5 13:54:51 rodster slapd[2678]: connection_get(24): got connid=1903
>
> Mar  5 13:54:51 rodster slapd[2678]: connection_read(24): checking for input
> on id=1903
>
> Mar  5 13:54:51 rodster slapd[2678]: ber_get_next on fd 24 failed errno=0
> (Success)
>
> Mar  5 13:54:51 rodster slapd[2678]: connection_close: conn=1903 sd=24
>
> #######################################
>
> When I try to ssh as the user the logs indicates.
>
> #######################################
>
> Mar  5 14:14:30 rodster slapd[2678]: slap_listener_activate(7):
>
> Mar  5 14:14:30 rodster slapd[2678]: >>> slap_listener(ldap:///)
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17)
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17): got connid=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_read(17): checking for input
> on id=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: op tag 0x60, time 1362510870
>
> Mar  5 14:14:30 rodster slapd[2678]: conn=1910 op=0 do_bind
>
> Mar  5 14:14:30 rodster slapd[2678]: >>> dnPrettyNormal: <>
>
> Mar  5 14:14:30 rodster slapd[2678]: <<< dnPrettyNormal: <>, <>
>
> Mar  5 14:14:30 rodster slapd[2678]: do_bind: version=3 dn="" method=128
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: conn=1910 op=0 p=3
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: err=0 matched="" text=""
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_response: msgid=1 tag=97 err=0
>
> Mar  5 14:14:30 rodster slapd[2678]: do_bind: v3 anonymous bind
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17)
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17): got connid=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_read(17): checking for input
> on id=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: op tag 0x63, time 1362510870
>
> Mar  5 14:14:30 rodster slapd[2678]: conn=1910 op=1 do_search
>
> Mar  5 14:14:30 rodster slapd[2678]: >>> dnPrettyNormal: <dc=wh,dc=local>
>
> Mar  5 14:14:30 rodster slapd[2678]: <<< dnPrettyNormal: <dc=wh,dc=local>,
> <dc=wh,dc=local>
>
> Mar  5 14:14:30 rodster slapd[2678]: SRCH "dc=wh,dc=local" 2 0
>
> Mar  5 14:14:30 rodster slapd[2678]:     1 0 0
>
> Mar  5 14:14:30 rodster slapd[2678]:     filter: (uid=dude12)
>
> Mar  5 14:14:30 rodster slapd[2678]:     attrs:
>
> Mar  5 14:14:30 rodster slapd[2678]:  host
>
> Mar  5 14:14:30 rodster slapd[2678]:  authorizedService
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowExpire
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowFlag
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowInactive
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowLastChange
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowMax
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowMin
>
> Mar  5 14:14:30 rodster slapd[2678]:  shadowWarning
>
> Mar  5 14:14:30 rodster slapd[2678]:  uidNumber
>
> Mar  5 14:14:30 rodster slapd[2678]:
>
> Mar  5 14:14:30 rodster slapd[2678]: ==> limits_get: conn=1910 op=1
> self="[anonymous]" this="dc=wh,dc=local"
>
> Mar  5 14:14:30 rodster slapd[2678]: => bdb_search
>
> Mar  5 14:14:30 rodster slapd[2678]: bdb_dn2entry("dc=wh,dc=local")
>
> Mar  5 14:14:30 rodster slapd[2678]: search_candidates: base="dc=wh,dc=local"
> (0x00000001) scope=2
>
> Mar  5 14:14:30 rodster slapd[2678]: => bdb_dn2idl("dc=wh,dc=local")
>
> Mar  5 14:14:30 rodster slapd[2678]: => bdb_equality_candidates (objectClass)
>
> Mar  5 14:14:30 rodster slapd[2678]: => key_read
>
> Mar  5 14:14:30 rodster slapd[2678]: bdb_idl_fetch_key: [b49d1940]
>
> Mar  5 14:14:30 rodster slapd[2678]: <= bdb_index_read: failed (-30988)
>
> Mar  5 14:14:30 rodster slapd[2678]: <= bdb_equality_candidates: id=0,
> first=0, last=0
>
> Mar  5 14:14:30 rodster slapd[2678]: => bdb_equality_candidates (uid)
>
> Mar  5 14:14:30 rodster slapd[2678]: => key_read
>
> Mar  5 14:14:30 rodster slapd[2678]: bdb_idl_fetch_key: [7c477315]
>
> Mar  5 14:14:30 rodster slapd[2678]: <= bdb_index_read 1 candidates
>
> Mar  5 14:14:30 rodster slapd[2678]: <= bdb_equality_candidates: id=1,
> first=1578, last=1578
>
> Mar  5 14:14:30 rodster slapd[2678]: bdb_search_candidates: id=1 first=1578
> last=1578
>
> Mar  5 14:14:30 rodster slapd[2678]: => send_search_entry: conn 1910
> dn="uid=dude12,ou=people,dc=wh,dc=local"
>
> Mar  5 14:14:30 rodster slapd[2678]: <= send_search_entry: conn 1910 exit.
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: conn=1910 op=1 p=3
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: err=0 matched="" text=""
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_response: msgid=2 tag=101 err=0
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17)
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17): got connid=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_read(17): checking for input
> on id=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: op tag 0x60, time 1362510870
>
> Mar  5 14:14:30 rodster slapd[2678]: conn=1910 op=2 do_bind
>
> Mar  5 14:14:30 rodster slapd[2678]: >>> dnPrettyNormal:
> <uid=dude12,ou=people,dc=wh,dc=local>
>
> Mar  5 14:14:30 rodster slapd[2678]: <<< dnPrettyNormal:
> <uid=dude12,ou=people,dc=wh,dc=local>, <uid=dude12,ou=people,dc=wh,dc=local>
>
> Mar  5 14:14:30 rodster slapd[2678]: do_bind: version=3
> dn="uid=dude12,ou=people,dc=wh,dc=local" method=128
>
> Mar  5 14:14:30 rodster slapd[2678]: ==> bdb_bind: dn:
> uid=dude12,ou=people,dc=wh,dc=local
>
> Mar  5 14:14:30 rodster slapd[2678]:
> bdb_dn2entry("uid=dude12,ou=people,dc=wh,dc=local")
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: conn=1910 op=2 p=3
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: err=49 matched="" text=""
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_response: msgid=3 tag=97 err=49
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17)
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_get(17): got connid=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: connection_read(17): checking for input
> on id=1910
>
> Mar  5 14:14:30 rodster slapd[2678]: op tag 0x60, time 1362510870
>
> Mar  5 14:14:30 rodster slapd[2678]: conn=1910 op=3 do_bind
>
> Mar  5 14:14:30 rodster slapd[2678]: >>> dnPrettyNormal: <>
>
> Mar  5 14:14:30 rodster slapd[2678]: <<< dnPrettyNormal: <>, <>
>
> Mar  5 14:14:30 rodster slapd[2678]: do_bind: version=3 dn="" method=128
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: conn=1910 op=3 p=3
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_result: err=0 matched="" text=""
>
> Mar  5 14:14:30 rodster slapd[2678]: send_ldap_response: msgid=4 tag=97 err=0
>
> Mar  5 14:14:30 rodster slapd[2678]: do_bind: v3 anonymous bind
>
>
> This email message is intended for the use of the person to whom it has been
> sent, and may contain information that is confidential or legally protected.
> If you are not the intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use this message or
> its attachments. Please notify the sender immediately by return e-mail and
> permanently delete this message and any attachments. Verio Inc. makes no
> warranty that this email is error or virus free. Thank you.
>
>
> This email message is intended for the use of the person to whom it has been
> sent, and may contain information that is confidential or legally protected.
> If you are not the intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use this message or
> its attachments. Please notify the sender immediately by return e-mail and
> permanently delete this message and any attachments. Verio Inc. makes no
> warranty that this email is error or virus free. Thank you.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/