Usually when you deploy ldap you also want to make sure when you do getent passwd it will not only show local users but also the ldap users. This is usually done in nslcd.conf if you are using nss-pam-lapd and might look like something like this (shortened a bit for the sake of brevity):
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd uri ldap://ldap-thingie.domain.com base dc=domain,dc=com # [...] # Customize certain database lookups base passwd ou=people,dc=domain,dc=com base group ou=groups,dc=domain,dc=com # [...] scope passwd one scope group one scope netgroup one scope networks one
Now, let's say for whatever reason you want to create another group, say, vegetables, whose members are not people (we will discuss the metaphysical implications of that some other time):
dn: cn=vegetables,ou=groups,dc=domain,dc=com objectClass: posixGroup cn: vegetables gidNumber: 2424
Since vegetables belong to ou=groups, you will see it if otu do, say, getent group vegetables. So, let's add a member to that group, say swampthing:
dn: uid=swampthing,ou=vegetables,dc=domain,dc=com uid: swampthing cn: Swamp Thing givenName: Swamp sn: Thing objectClass: inetOrgPerson objectClass: posixAccount loginShell: /usr/bin/treebark uidNumber: 1995 gidNumber: 2424 homeDirectory: /home/swamp gecos: Swamp Thing mail: firstname.lastname@example.org
when you try to look for it using getent passwd swampthing, it will not show up. But, doing a quick ldapsearch -x "(objectClass=posixAccount)" will find our green fellow. What is going on here? Well, look back at our nslcd.conf on the top of this article. base passwd ou=people,dc=domain,dc=com really translates to "hey man! If you are looking for a user (someone under passwd) in ldap, check ou=people,dc=domain,dc=com!" Problem is Mr. Thing is not on ou=people! Then, we should tell nslcd that looking for a user in ou=vegetables is ok too:
base passwd ou=people,dc=domain,dc=com base passwd ou=vegetables,dc=domain,dc=com base group ou=groups,dc=domain,dc=com
And now, when we try getent passwd swampthing again or even id swampthing, we will get info on Mr. Swamp.
Of course, I picked a rather silly name and group for this example, but there is nothing stopping the group to be, say, ou=services and the user mysql-backup. Does that give you evil ideas?.