Why LDAP auth doesnt work correctly on Ubuntu 16.04.3 LTS (Xenial Xerus) and 17.04

The goal is to have users in ldap and $HOME on NFS.

Simple answer: because systemd and incorrect dependencies.
Simple solution: disable libnss-ldap, nscd and write your own startscript

This article is a thorough analysis of ubuntu ldap auth problem.

The whole bad day started with broken boot from ubuntu usb flash. We tried booting ubuntu live usb stick and installed it on another usb flash drive 8GB. The goal was not to touch MS Windows inside. Booting and detection of WiFi, NIC and other hw was excelent. We can compare to Debian 9.0, which doesn't have necessary non-free firmwares which is an abnormal pain in the lower side followed by lspci gymnastics and searching binary firmwares.

First instalation fail was the swap. There is no need to install Ubuntu on PC with 16GB RAM with using a swap file or partition, especialy on a slow usb flash drive.

Second fail - finaly the instalation asked for more space then 5GB so we had to repartition the flash drive. 6GB were ok, but instalation failed after one hour with “not enough space”. Creating 7GB partition and do everything again worked like a charm. We had a very good reasons why not to use whole flash drive.

Third fail - grub install failed. Instalation incomplete. I gave up - had a lot of programming - so I asked my colleague if he could try the installation himself. Different Ubuntu image failed exactly the same way. So we had to create a new 256MB EFI partition, mount it under /boot/efi and then grub-install worked. When we chose 8GB install partition, we had to do all the installation again, because we couldn't create the 256MB efi partition.

Now the ubuntu is booting and running correctly. It detects wifi nic and gets ip. This step is very important, because it was the last working state for another day.

After installing libnss-ldap, libpam-ldap, nscd and nfs-common and proper configuration everything worked. But didn't boot again.

Quickly the working config was:

   passwd      ldap file
   group      ldap file
    base dc=prague
    uri ldap://
    ldap_version 3

and finaly fstab

   # Yes, it is really disabled
   #    /home/nfs nfs   rw,noatime,nodiratime,nfsvers=3,_netdev 0       0

Three system services were failing:

  • Network Manager
  • Login
  • Gnome Display Manager

Logs were not useful for identifying any error. Lets skip a few hours, we didn't know it was caused by ldap.

System is waiting for ldap, but it does not work without network. This workstation was Lenovo Ideacenter with wifi. We use wpa_supplicant with preconfigured wpa2-psk passphrase. Network works without those mentioned packages (libnss-ldap, nscd,…) so network is not a problem. When using wired ethernet, it works with ldap configuration. So the solution is to mask/disable problematic services

systemctl mask nscd systemctl mask libnss-ldap

And create our own “Starlab.ldap.fix” system service. It simply

  1. waits for network
  2. starts ldap
  3. starts nscd
  4. mounts nfs
# This is the first shot :). It is missing the right case start, stop, esac.
while ! ping -c1 >/dev/null; do
        sleep 5;
        echo "Network or STARLAB server unreachable."
if [ -f /home/nfs/empty ]; then
        mount -t nfs -o nfsvers=3,rw,nosuid,nodev,noatime,nodiratime /home/nfs
/etc/init.d/libnss-ldap restart
/etc/init.d/nscd restart
# ensure we were always successful 
exit 0
Description=Starlab ldap fix
After=network.target auditd.service
ExecStart=/etc/starlab.ldap.fix start

Dont forget to enable the service for auto-start at boot time

    systemctl enable starlab

Baby's bottom

Feel free to contact me at dalibor.straka@starlab.cz with any questions or suggestions

linux/ldap/ubuntu.txt · Last modified: 2017/10/28 20:38 by admin