I'm trying to implement an LDAP authentication system passing through an LDAP proxy. I use PAM and libnss for the authentication mechanism. All groups and users are defined in the ldap database. In the proxy i just have the ldap backend back_ldap enabled. When i try to log a user on a machine with my configuration, it's work when the user exists in local machine or added by the command adduser. All users are declared in the ldap database as posix account and inetOrgPerson.

When I use the command getent passwd to list users account, i just see the local users and none of the ldap users.

I would like to know if the accounts must be declared locally, if we want to authenticate on an ldap server passing through an ldap proxy.

Here my nsswitch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Here my ldap.conf:

host localhost
base ou=users,dc=my-domain,dc=com
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
pam_member_attribute memberUid
nss_base_passwd ou=users,dc=my-domain,dc=com?one
nss_base_shadow ou=users,dc=my-domain,dc=com?one
nss_base_group ou=groups,dc=my-domain,dc=com?one
pam_login_attribute uid
ssl no
tls_cacertdir /etc/openldap/cacerts