Authentication Issues¶
Issues related to LDAP authentication, user login, OpenLDAP service, and TLS certificate errors.
LDAP login fails after user creation¶
Symptom
User login fails after LDAP user creation. Error messages include:
id: 'newuser': no such userPermission denied (publickey,gssapi-keyex,gssapi-with-mic)
Cause
Whitespace in the LDIF file used to create the user.
Resolution
-
Inspect the LDIF file for hidden whitespace or control characters:
Run on: auth servercat -vet <filename> -
Remove any whitespace found, then re-import the corrected LDIF file.
OpenLDAP login fails¶
Symptom
OpenLDAP login fails.
Cause
Stale SSH key.
Resolution
ssh-keygen -R <hostname>
User login fails on cluster nodes¶
Symptom
Users cannot log in to Slurm compute nodes or login nodes via SSH. Login attempts fail with Permission denied, please try again. even though the user exists in LDAP and can authenticate on the auth server directly.
Cause
- The LDAP client (
sssdornslcd) is not running on the target node. - The LDAP client is configured with the wrong server URI or search base.
- NSS (Name Service Switch) is not configured to use LDAP.
- The user's home directory does not exist on the target node.
Resolution
-
Check SSSD status on the target node:
Run on: compute nodesystemctl status sssdIf not running:
Run on: compute nodesystemctl start sssd -
Verify SSSD configuration:
Run on: compute nodecat /etc/sssd/sssd.conf | grep -E 'ldap_uri|ldap_search_base' -
Test user lookup via NSS:
Run on: compute nodegetent passwd <username>If the user does not appear, SSSD or NSS is misconfigured.
-
Check if the home directory exists:
Run on: compute nodels -la /home/<username>If it does not exist, enable automatic home directory creation:
Run on: compute nodeauthconfig --enablemkhomedir --update -
Clear the SSSD cache and restart:
Run on: compute nodesss_cache -E systemctl restart sssd
Certificate errors¶
Symptom
LDAP or other services fail with TLS certificate errors:
TLS: peer cert untrusted or revoked
SSL routines:ssl3_get_server_certificate:certificate verify failed
Cause
- The CA certificate used by step-ca is not installed on the client node.
- The service certificate has expired.
- The certificate's Subject Alternative Name (SAN) does not match the hostname or IP being used to connect.
Resolution
-
Check the certificate expiry:
Run on: auth serveropenssl x509 -in /etc/step/certs/server.crt -noout -dates step certificate inspect /etc/step/certs/server.crt --short -
If expired, renew the certificate:
Run on: auth serverstep ca renew /etc/step/certs/server.crt /etc/step/certs/server.key -
Verify the CA certificate is installed on client nodes:
Run on: compute nodels /etc/pki/ca-trust/source/anchors/If the CA cert is missing, copy it and update the trust store:
Run on: OIM hostscp /etc/step/certs/root_ca.crt <client_node>:/etc/pki/ca-trust/source/anchors/ ssh <client_node> update-ca-trust -
Verify the SAN matches the connection target:
Run on: auth serveropenssl x509 -in /etc/step/certs/server.crt -noout -ext subjectAltNameIf the SAN does not include the correct hostname or IP, reissue the certificate:
Run on: auth serverstep ca certificate <hostname> /etc/step/certs/server.crt \ /etc/step/certs/server.key --san <hostname> --san <ip_address> -
Restart services after updating certificates:
Run on: compute nodesystemctl restart sssd
Info
- Deploy External LDAP -- External LDAP deployment guide.