i have configured ldap client (ubuntu 20.04) with nss_ldap to connect on ldap server and accept users in a specific group, it seems that everything is working fine, the client can access the ldap server and ldap users can access the client machine. however i am receiving the following error message when the client connects to ldap server:
systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
and here is my configuration files:
/etc/ldap.conf
regarding that parameter (nss_initgroups_ignoreusers) is auto-generated.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data
/etc/ldap.secret --> contain the password.
/etc/nsswitch.conf
passwd: files ldap systemd
group: files ldap systemd
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/security/access.conf
added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]
/etc/pam.d/sshd --> uncomment the following line:
account required pam_access.so
Note:
i tested the connection also with ldapsearch and it works.
i tried to change in nsswitch.conf file or reinstalling nss_ldap client again but i still receiving the same error while everything is working right.
