LFCS Question #128: Real Exam Question with Answer & Explanation

Question

After configuring PAM and NSS to integrate with OpenLDAP, the SSH server refuses to authenticate users who are only in LDAP. What is the first step you should follow to debug this problem?

Options

• ARestart the pamd service.
• BRestart the sshd service.
• CRestart the nssd service.
• DAdd the Use_LDAP = yes parameter to sshd_config.

Explanation

After modifying PAM/NSS for LDAP integration, restarting the sshd service is the first debugging step to ensure it loads the updated authentication configurations.

Common mistakes.

• A. pamd is not a service that can be restarted; PAM (Pluggable Authentication Modules) is a framework that services like sshd utilize, and changes to PAM configuration files are only effective for a service after that specific service is restarted.
• C. nssd is not a standard service related to NSS (Name Service Switch); while nscd (Name Service Cache Daemon) can be restarted, restarting sshd is the more direct and primary action to ensure new NSS configurations are applied to SSH.
• D. The sshd_config file does not have a Use_LDAP = yes parameter for direct LDAP integration; SSH delegates user authentication to PAM, which then handles the integration with LDAP through its modules.

Concept tested. SSH/PAM/NSS/LDAP debugging

Reference. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_authentication_and_authorization/configuring-ldap-authentication_managing-authentication-and-authorization

No community discussion yet for this question.