I have an LDAP server, and I want to be able to login on my machines using that LDAP server. This works basically, but when the LDAP server is out of reach (e.g. a laptop is used outside the office) then authentication fails.
I tried several approaches to address this issue.
(1) pam_ccreds.so: I followed this https://help.ubuntu.com/community/PamCcredsHowto document but ended up with login failing:
> su testuser
Password: <pwd entered>
You have been logged on using cached credentials.
su: Authentication failure
That is, apparently something worked but some other thing later did not. This had happened to someone else but the alleged solution (allow if LDAP server not reachable) does not seem to be a solution at all.
(2) I fiddled around with nslcd. I added some debug outputs and found this:
<passwd=4294967295> DEBUG: myldap_search(base="ou=people,dc=mydomain,dc=mytld", filter="(&(uid=*)(uidNumber=4294967295))")
The UID 4294967295 was suspicious to me (it actually should be 1000002), and yes, there are other reports of that UID (which is -1 in signed representation of the int), but all these reports and solutions appeared to be connected with samba and/or winbind -- this is not the case in my setup.
So I have already spent a great deal of time, I am merely trying because I actually do not understand how the credential caching with nlscd really works. I think I got the grasp of pam_ccred but from what I found in the net I got the impression that this thing never really worked with LDAP and/or is not really maintained.
My specific questions are:
- On an Ubuntu (16.04) client system, is there a recommended way of how to be able to login with the LDAP user/password when the LDAP server is not reachable?
- When things do not work as expected, which actions can I take to produce reasonable debug outputs (such as nslcd)?
- Where can the strange UID come from?
Thanks very much for any effort, pointer or input!
