Impossible to connect to SSH or to SMTP

otm33 · October 6, 2025, 10:11pm

Can you perform a a simple bind ldapwhoami -x -D "uid=marc,ou=users,dc=yunohost,dc=org" -W -H ldap://localhost?

What is that : (ppolicy=yes) ?

nslcd: [8b4567] <authc="marc"> DEBUG: ldap_sasl_bind("uid=marc,ou=users,dc=yunohost,dc=org","***") (uri="ldap://localhost/") (ppolicy=yes)

marc · October 6, 2025, 10:15pm

I am asked LDAP password.
Should i use a slapd command instead?

ppolicy:

I don’t know

otm33 · October 6, 2025, 10:16pm

Can you authenticate ?

jarod5001 · October 6, 2025, 10:17pm

They don’t change anything, they just show if something is wrong

marc · October 6, 2025, 10:17pm

yes, (i thought i needed YUNOHOST password for LDAP database).
Here is the result:

dn:uid=marc,ou=users,dc=yunohost,dc=org

marc · October 6, 2025, 10:19pm

ok.
here is the result

Warning: The configuration file '/etc/postfix/ldap-aliases.cf' has been manually modified and will not be updated
Warning: The configuration file '/etc/postfix/ldap-accounts.cf' has been manually modified and will not be updated
Success! The configuration would have been updated for category 'dnsmasq'
dnsmasq: 
  applied: 
    /etc/resolv.dnsmasq.conf: 
      diff: @@ -1,14 +1,14 @@
+nameserver 2001:1608:10:25::1c04:b12f
+nameserver 2a0c:e300::101
+nameserver 2a00:5881:8100:1000::3
+nameserver 84.200.70.40
+nameserver 2001:678:8::3
+nameserver 2a0c:e300::100
+nameserver 2a0c:e300::1337
+nameserver 194.0.5.3
+nameserver 45.67.81.23
+nameserver 194.150.168.168
+nameserver 185.233.100.101
+nameserver 89.234.141.66
 nameserver 2001:1608:10:25::9249:d69b
-nameserver 45.67.81.23
-nameserver 2a0c:e300::101
-nameserver 2a0c:e300::1337
-nameserver 2001:678:8::3
-nameserver 185.233.100.101
-nameserver 194.150.168.168
-nameserver 84.200.70.40
-nameserver 194.0.5.3
-nameserver 89.234.141.66
-nameserver 2a0c:e300::100
-nameserver 2001:1608:10:25::1c04:b12f
-nameserver 2a00:5881:8100:1000::3
 nameserver 185.233.100.100
      status: updated
  pending: 
postfix: 
  applied: 
  pending: 
    /etc/postfix/ldap-accounts.cf: 
      diff: @@ -1,5 +1,5 @@
 server_host = localhost
 server_port = 389
 search_base = dc=yunohost,dc=org
-query_filter = (&(objectClass=mailAccount)(mail=%s))
+query_filter = (&(objectClass=mailAccount)(mail=%s)(permission=cn=mail.main,ou=permission,dc=yunohost,dc=org))
 result_attribute = uid
      status: modified
    /etc/postfix/ldap-aliases.cf: 
      diff: @@ -1,5 +1,5 @@
 server_host = localhost
 server_port = 389
 search_base = dc=yunohost,dc=org
-query_filter = (&(objectClass=mailAccount)(mail=%s))
+query_filter = (&(objectClass=mailAccount)(mail=%s)(permission=cn=mail.main,ou=permission,dc=yunohost,dc=org))
 result_attribute = maildrop
      status: modified
root@famille-flender:/var/log# service nslcd restart
root@famille-flender:/var/log# service ssh restart
root@famille-flender:/var/log# service slapd restart 
root@famille-flender:/var/log# groups m4x
m4x : m4x all_users mail.main ssh.main vaultwarden.main sogo.main
root@famille-flender:/var/log# more /etc/postfix/ldap-aliases.cf
server_host = localhost
server_port = 389
search_base = dc=yunohost,dc=org
query_filter = (&(objectClass=mailAccount)(mail=%s))
result_attribute = maildrop

otm33 · October 6, 2025, 10:19pm

well, you should authenticate with same password than for ssh

marc · October 6, 2025, 10:20pm

Here is the result:

dn:uid=marc,ou=users,dc=yunohost,dc=org

So password works

jarod5001 · October 6, 2025, 10:21pm

Oh, so you should run yunohost tools regen-conf --force

marc · October 6, 2025, 10:22pm

You mean, to reset ldap-accounts.cf and ldap-aliases.cf?

Well, it is late now, i thank you for your help, you are precious to me.
i will continue searching tomorrow

I have already resetted ldap-counts.cf and ldap-aliases.cf some days ago, but it doesn’t change anything.
This is a work-around to create aliases for my family without creating accounts.
These two files should not change LDAP results for SSH, i used this workaround for years.
Everything is described here

Nevertheless, i will make sure tomorrow and reset these files

Good night

otm33 · October 6, 2025, 11:13pm

Well…

marc:

nslcd: [8b4567] <authc="marc"> DEBUG: ldap_sasl_bind("uid=marc,ou=users,dc=yunohost,dc=org","***") (uri="ldap://localhost/") (ppolicy=yes)
nslcd: [8b4567] <authc="marc"> ldap_result() timed out
nslcd: [8b4567] <authc="marc"> DEBUG: failed to bind to LDAP server ldap://localhost/: Timed out: Operation now in progress
nslcd: [8b4567] <authc="marc"> DEBUG: ldap_unbind()

made me think… Couldn’t it be related to available resources (RAM, CPU, free space) ?

I would try those parameters in /etc/nslcd.conf

bind_timelimit 60 (from 60 to 5)
timelimit 15 (from 15 to 5)
threads 3

You can test by increasing the number of threads, but with a Raspberry Pi 2 …

marc · October 8, 2025, 9:19pm

Great ! It Works. Thanks a lot!
Would it be possible to change the nslcd.conf of Yunohost, for future versions? here

github.com/YunoHost/yunohost

conf/nslcd/nslcd.conf

dev

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/

# The search base that will be used for all queries.
base dc=yunohost,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

This file has been truncated. show original

otm33 · October 8, 2025, 9:32pm

system · November 7, 2025, 9:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.