After configuring LDAP credentials as an authentication method for SSH access to the Gateway via the ssgconfig menu, users are still unable to gain shell access to the Gateway.
We will see the following kinds of errors within /var/log/secure after the login attempt:
pam_faillock(sshd:auth): User unknown
Failed password for invalid user
The SSG Config Menu assumes that the users used for ssh authentication are in a folder below the search base
but that does not always have to be the case. In this instance the users were located in the search base itself which is valid but was resulting in the failures being seen.
The following work around can be implemented to address this situation:
When configuring LDAP credentials using the guided menus as described in Option 4 - Configure Authentication Method, enter a temporary value in the part that asks Which object in the LDAP will be used to find the password for users. Once the menu selections have been completed, edit /etc/nslcd.conf to enter the desired value (e.g., 'ou=users') that identifies the location of the LDAP object for user passwords. This overrides the temporary value entered via the configuration menu. After entering the value, restart the nslcd daemon.
This is also outlined within our online documentation which can be referenced here:
This is a known defect within gateway version 10 which will be addressed in a future CR.