ldap still requires local user to work
I setup openldap on a machine using various walk-through guides on the web. There is one question I cannot seem to pin down.
I create an LDAP directory with 1 database to manage the users. There is an administrator group for those who can alter LDAP, and a regular users group for those.
Local root is not automatically LDAP admin.
Now here is my question: I can authenticate against the LDAP directory just fine. So I want to get rid of local users in /etc/passwd. Here is what I did:
- I deleted the local user passwd using "passwd -d"
-> ok, user can still log on
- I deleted the user using userdel
-> user cannot log on anymore?
- recreate the user local using useradd
-> user can log on
- create a new user in LDAP directory using ldapadd
-> user cannot log in
- add user local without setting a password using useradd
-> new user can log on using the LDAP password
So it seems the users needs to exist locally in /etc/passwd to be able to log on. Is this expected behaviour? At the moment the tests are done on one machine, so LDAP is running on the same machine where I am trying to log on. Maybe I've missed something.
slapd Version: 2.2.26-5ubuntu2.2
libnss Version: 238-1.1ubuntu1
libpam Version: 180-1ubuntu0.6.06