What configuration errors would lead to the situation where ldapsearch works and getent works, but authentication seems to fail sometimes during SSH login?
I have two servers that query a third server for LDAP authentication. All servers are running Ubuntu 18.04.
The LDAP server (running OpenLDAP / slapd) uses a self-signed certificate and both client servers have "TLS_REQCERT allow" in /etc/ldap/ldap.conf . Both client servers can also successfully use ldapsearch over ldaps to query for users. On both client servers, I can run getent passwd and get the expected results.
However, on one server, when I log in via ssh, I experience a consistent delay (about thirty seconds). /var/log/auth.log from that server includes these lines:
pam_systemd(sshd:session): Failed to create session: Connection timed out nss_ldap: reconnecting to LDAP server... nss_ldap: reconnected to LDAP server ldaps://[IP address] after 1 attempt systemd-logind: nss_ldap: could not connect to any LDAP server as [...] - Can't contact LDAP server systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server As far as know, all relevant pieces of the configuration for the two client servers are the same as each other's.
I have tried:
sudo systemctl restart systemd-logind sudo systemctl restart polkit sudo journalctl -u systemd-logind shows:
nss_ldap: could not connect to any LDAP server as [...] - Can't contact nss_ldap: failed to bind to LDAP server ldaps://[IP address]: Can't contact LDAP server nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... On the client side of SSH, I see what's outlined here: ssh connection takes forever to initiate, stuck at "pledge: network"
