16.04 fails ldap authentication


I am having some trouble to get ldap authentication to work in Ubuntu 16.04

I can get it to work in 14.04 ok but so far it fails in 16.04

What I did in 14.04 is

apt-get install ldap-utils libpam-ldap libnss-ldap nslcd

filled in the various details LDAP Server etc

apt-get install sssd libpam-sss libnss-sss

ensured /etc/sssd/sssd.conf , /etc/certs/cacert.pem,
/etc/nsswitch.conf correct

ensure package auth-client-config is installed

/etc/init.d/nscd restart

update-rc.d nslcd enable

This worked every time for 14.04 but it fails in 16.04

On the 16.04 machine a telnet (to my ldap server) 636

Trying 138.251....1...

Connected to

Escape character is '^]'.

Which suggests the 16.04 machine sees the ldap server

Any help to resolve this would be sincerely appreciated

a getent returns only the contains of /etc/passwd on the local machine


Re: 16.04 fails ldap authentication

By Xen at 06/16/2017 - 08:21

Ian Taylor schreef op 16-06-2017 12:58:

I have had (and still have) a system 16.04 that can derive group and/or
user from an LDAP on the local network.

I have not used nsss.

The URI ldap:// did not work for me.

I used HOST and then an IP address, I believe.

I believe I employed unscd as a caching daemon because it functioned
better for a certain cause. My use case was for negative results
(nonexistent groups) to have a very long timeout (cache duration)
because otherwise they would hang the lookups and cause delays in mainly
log-in attemps and so on. I also set the timelimits and timeouts of
ldap.conf to very low values (seconds).

The libnss-ldap package is broken for a very long time already and they
won't fix it.

You have to run /usr/sbin/nssldap-update-ignoreusers manually as root to
ensure lookups are not performed through LDAP for system users and

But you didn't get that far yet.

I can't say anything else, I did nothing special. Although in the LDAP
database I have set "loginShell" to false because I didn't want these
users to be used for local login ;-).

When initially "getent" wouldn't work, it was because the URI thing
didn't work for me.