When integrating LDAP authentication on Ubuntu systems, a common frustration occurs when getent passwd fails to display LDAP users despite working LDAP queries. Here's a comprehensive technical breakdown of this issue:
First, verify these critical components in your setup:
# Verify nsswitch configuration
grep -E '^passwd|^group|^shadow' /etc/nsswitch.conf
# Expected output:
passwd: files ldap
group: files ldap
shadow: files ldapYour /etc/ldap.conf needs these essential parameters properly configured:
# Minimum required configuration
uri ldap://your.ldap.server
base dc=yourdomain,dc=com
ldap_version 3
nss_base_passwd ou=People,dc=yourdomain,dc=com?sub
nss_base_shadow ou=People,dc=yourdomain,dc=com?sub
nss_base_group ou=Groups,dc=yourdomain,dc=com?sub
pam_password md5When basic checks don't resolve the issue, try these diagnostic commands:
# Test LDAP connectivity
ldapsearch -x -H ldap://your.ldap.server -b "dc=yourdomain,dc=com" -s sub "(objectclass=*)"
# Check name service caching
nscd -g
# Verify PAM configuration
ldd /lib/x86_64-linux-gnu/libnss_ldap.so.2Missing nss_base parameters: Without these, the system won't know where to look for user entries in LDAP.
Incorrect schema mapping: Ensure your LDAP directory uses standard attributes (uid, uidNumber, gidNumber, etc.) or properly maps them.
# Example attribute mapping
nss_map_attribute uniqueMember member
nss_map_objectclass posixAccount inetOrgPersonFor large directories, implement these optimizations:
# Reduce timeout values
bind_timelimit 5
timelimit 5
# Enable caching
nscd -i passwd
nscd -i groupIf getent passwd still doesn't work, try these alternative verification approaches:
# Use ldapwhoami for bind verification
ldapwhoami -x -H ldap://your.ldap.server -D "uid=username,ou=People,dc=domain,dc=com" -W
# Test with libnss-ldap directly
getent passwd ldapusername- Verify package installation: libnss-ldap libpam-ldap ldap-utils
- Check file permissions: /etc/ldap.conf (600), /etc/ldap.secret (400)
- Validate TLS/SSL configuration if using encrypted connections
- Confirm firewall rules allow LDAP traffic (389/tcp, 636/tcp for SSL)
When running getent passwd on an Ubuntu system configured with LDAP authentication, you only see local users from /etc/passwd but not LDAP users, despite successful ldapsearch queries. Here's how to properly diagnose and fix this.
First, let's verify three essential configuration files:
/etc/nsswitch.conf (sample working version):
passwd: files ldap
group: files ldap
shadow: files ldapThe /etc/ldap.conf requires these crucial parameters:
uri ldap://your.ldap.server:389
base dc=yourdomain,dc=com
ldap_version 3
nss_base_passwd ou=People,dc=yourdomain,dc=com?one
nss_base_shadow ou=People,dc=yourdomain,dc=com?one
nss_base_group ou=Groups,dc=yourdomain,dc=com?one
pam_password md5Before troubleshooting NSS, verify basic LDAP connectivity:
ldapsearch -x -H ldap://192.168.95.133 -b "dc=souad,dc=com" "(objectclass=posixAccount)" uid1. Missing nss_base parameters
Without nss_base_* directives, the LDAP client doesn't know where to search for user/group information.
2. Incorrect TLS configuration
If using LDAPS:
ssl on
tls_cacertfile /etc/ssl/certs/ca-certificates.crt3. Permission issues
Ensure /etc/ldap.conf has correct permissions:
chmod 644 /etc/ldap.conf
chown root:root /etc/ldap.confUse these commands to diagnose:
# Check NSS LDAP module loading
ldd /lib/x86_64-linux-gnu/libnss_ldap.so.2
# Verbose debugging
export NSS_DEBUG=1
getent passwdFor complex environments with multiple OUs:
nss_base_passwd ou=Users,ou=Department1,dc=souad,dc=com?sub?(&(objectClass=posixAccount)(loginShell=/bin/bash))
nss_base_group ou=Groups,ou=Department1,dc=souad,dc=com?sub
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gidNumber primaryGID