I have an Ubuntu server running slapd. I've configured the same box as an ldap client. Logging into Ubuntu via LDAP works great as long as I follow these steps:
- Create group named 'testgroup1' using
ldapaddgroup - Create user named 'testuser1' using
ldapadduserand add totestgroup1 - Then, I can successfully login to the server as testuser1 using
ssh testuser1@my-server. This works great.
So, here's the problem: There are many existing entries in LDAP. Even though these existing entries are in the exact same ou as the 'testuser1' entry, I can't authenticate using any of the existing entries?
The existing entries only have objectClass=inetOrgPerson. So I added objectClass=posixAccount. But, when I try to ssh using these entries (that weren't created using ldapadduser), I see this in the debug output from nslcd:
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("cn=existinguser,ou=my-ou,dc=example,dc=com","*****") (uri="ldap://<ip address>")
nslcd: [3c9869] failed to bind to LDAP server ldap://<ip address>: Invalid credentials: Success
The only difference I see between an entry created by ldapadduser and the existing entries, is that one has a structural objectClass of "Account" and the other has a structural objectClass of "inetOrgPerson".
So, I was wondering if anyone knows if it's required to use "Account" Structural objectClass in order to login to Ubuntu? Or can anyone think of any other reason nslcd is giving the error message above?
I figured it out: Even though I added objectClass of "PosixAccount" to the existing LDAP entries, I needed to also add two attributes: loginShell and homeDirectory. Once those were added to an existing entry, I could login.