SSH auth via openLDAP server fails with 'ldap_search_st(): Timed out' error

[Krishna Kurkal]

I've been trying to get openssh (with LPK patch) to work with openLDAP
(on Amazon AMI, CentOS 5.4 equivalent I think) to centrally
authenticate instances that I plan to spin up in AWS.

I have got the openLDAP server all setup with a test user created and
the basic configs on the client node in place. And I can get
ldapsearch to work flawlessly from both the server and client nodes.
However, when I try to use putty with a private key (public key is in
LDAP server and the user already created on the LDAP server etc), I
cannot get LDAP to authenticate the user. I see the below
'ldap_search_st(): Timed out' error in the sshd debug output and am
unable to establish the connection:

debug1: userauth-request for user test service ssh-connection method
publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x1bf72c0
debug1: temporarily_use_uid: 10000/10000 (e=0/0)
debug1: [LDAP] trying LDAP first uid=test
ldap_search_st(): Timed out (-5)
[LDAP] no keys found for 'test'!
debug1: trying public key file /home/test/.ssh/authorized_keys
debug1: restore_uid: 0/0
Failed publickey for testfrom 66.69.194.182 port 61244 ssh2
debug3: mm_answer_keyallowed: key 0x1bf72c0 is not allowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 52 bytes for a total of 2601
debug3: mm_request_receive entering
Received disconnect from 66.69.194.182: 14: No supported
authentication methods available
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering

I have made all other changes to nsswitch.conf, /etc/ssh/sshd_config, /
etc/nscld.conf etc and not sure where to go from here. I am able to
connect to the LDAP server as this user using the private key just
fine. So, there is no issue with the keys in .ssh folders etc. It's
when trying to go through LDAP that it's failing.

The setup in LDAP is basically a group called 'operations' and the
'test' user placed in that group. There are no other entries in there.

Any hints on how to troubleshoot further or a fix to this issue will
be greatly appreciated.

Thanks!
Kris

[Krishna Kurkal]