Sorry for the typo error. It’s not sssd it is sshd.
I am using nscd daemon. I tried to debug the nss_ldap by placing log level in /etc/ldap.conf file. I observed that ldap server connection is getting established and accepting the request from nss_ldap[which requests the user info by placing the uid]. But ldap is neither responding with the error message nor successful message.
[22/May/2013:13:38:13 +0000] conn=44 op=18 SRCH base="ou=people,o=test,o=suffix" scope=2 filter="(&(objectClass=<xyz>)(uid=testuser))" attrs="uid uidNumber gidNumber "
[22/May/2013:13:38:13 +0000] conn=44 op=18 RESULT err=0 tag=101 nentries=0 etime=0
From the above ldap search operation nentries is zero. But the user is present in the ldap the same was verified by executing ldapsearch command.
Steps to replicate this behavior
1. disable(off) access nsslapd-anonymous-access
2. modify the aci(access control information) for the base dn by introducing a dn with password to bind with ldap.
3. provide the modified aci informations in /etc/ldap.cconf with appropriate binddn and bindpw.
4 . create a user in ldap so that ssh login should communicate to ldap via PAM.
5. configure appropriate configuration[/etc/pam.d] for PAM to authenticate the users.
Use NSCD or SSSD not both, while NSCD is a caching daemon and SSSD has a caching daemon they will conflict.
On May 22, 2013, at 4:18 AM, Shriram M <firstname.lastname@example.org> wrote:
I am trying LDAP authentication for users logged in CentOS by PAM. Also I have disabled(off) nsslapd-anonymous-access flag to restrict anonymous access by providing the binddn and bindpw.
I have changed binddn and bindpw in /etc/ldap.conf for PAM to bind with LDAP to authenticate user.
ie) When a user is trying to ssh pam will be communicated to bind with LDAP by reading /etc/ldap.conf to bind with LDAP to authenticate the corresponding user.
User authentication is not working every time. ie)some time the user is authenticated and sometimes the user is not authenticated.
i have verified the tools 389 FDS, nscd ,ssd, are properly running in CentOS.
I have tried by doing ldapsearch for the corresponding user. The result shows the user properly.
389 users mailing list