Public key authenticating local user when LDAP server is down

Question

I'm trying to configure my system to allow me to login (ssh) to a local account on a host (Ubuntu 16.04) with public key authentication, even if/when the LDAP server is down.

This is a cloud image, so the user I need locally is ubuntu . This user doesn't have a password (and I don't want to set one for security). Only public key auth should be allowed on this user.

This user has UID 1001 and all my LDAP users have UID numbers >= 2000.

I've been trying stuff all day (such as pam_succeed_if.so and pam_localuser ).

Now getent passed ubuntu works fine and returns the local passwd line. But ssh refuses like so:

Sep  6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Sep  6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: failed to bind to LDAP server ldaps://ldap.domain.tld: Can't contact LDAP server
Sep  6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: reconnecting to LDAP server...

And then eventually it fails with Authentication failed. .

• /etc/nsswitch.conf

   passwd: compat [success=return] ldap group: compat [success=return] ldap shadow: compat [success=return] ldap 

• /etc/pam.d/common-account

   account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so # NOTE: These two won't work - fatal: Access denied for user <ldap user> by PAM account configuration [preauth] #account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid [le sign] 500 quiet account [success=1 default=bad success=ok user_unknown=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so account required pam_krb5.so minimum_uid=2000 

• /etc/pam.d/common-auth

   auth [success=3 default=ignore] pam_krb5.so minimum_uid=2000 ignore_root auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass ignore_unknown_user ignore_authinfo_unavail # NOTE: Can't login with this (changed the success above)! #auth requisite pam_succeed_if.so uid [ge sign] 500 quiet auth requisite pam_deny.so auth required pam_permit.so 

• /etc/ldap.conf

   bind_timelimit 10 pam_min_uid 2000 nss_initgroups_ignoreusers ubuntu,local nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 8 nss_reconnect_maxconntries 2 

(I tried using the pre and code blocks, but SOF refused to let me post then, so sorry if this looks horrible - if anyone with admin rights can go in and fix, please do.)

Answer 1

Rereading the man page for nsswitch.conf , gave me this:

• return
  • Return a result now. Do not call any further lookup functions. However, for compatibility reasons, if this is the selected action for the group database and the notfound status, and the configuration file does not contain the initgroups line, the next lookup function is always called, without affecting the search result.

Key words here is this part: the configuration file does not contain the initgroups line, the next lookup function is always called .

As in, if I added the line

initgroups:     files

I can now login to the ubuntu user, even when the LDAP server is down!