Unable to make ldap authentication work on Ubuntu 18.04 LTS

Question

I'm trying to enable LDAP authentication on Ubuntu using the guides below: https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/

https://help.ubuntu.com/community/LDAPClientAuthentication

https://www.youtube.com/watch?v=l0e8rG0mku8

Nothing seems to work so far. ldapsearch works, but I can't login or test with "id" and "getent" commands. The only difference from the manuals is that I don't have ldap admin account and do not specify it, but I don't think this should break the rest. Appreciate any suggestions on how to troubleshoot PAM and ldap client

cat /etc/nsswitch.conf 
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow:        files
. . .

cat /etc/pam.d/common-session
session [default=1]         pam_permit.so
session requisite           pam_deny.so
session required                        pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required            pam_permit.so
session optional            pam_umask.so
session required    pam_unix.so 
session optional            pam_ldap.so 
session optional    pam_systemd.so 

sudo nano /etc/pam.d/common-auth
auth    required   pam_group.so use_first_pass
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

sudo nano /etc/pam.d/common-password
password        requisite                       pam_pwquality.so retry=3
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha$
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_$
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

$ ldapsearch -x -H ldap://ldap.server.com -b ou=employee,o=test,c=an -LLL "(alias=test_username)" cn
dn: cn=Test User  5142,ou=employee,o=slb,c=an
cn: Test User
cn: Test User  5142

$su - test_username
No passwd entry for user 'test_username'

$ getent passwd test_username
$

Answer 1

From the provided information, it is seen that your LDAP server works properly, but it is not the case for the NSS module, which is your LDAP client. You should check that /etc/ldap.conf contains the correct search base and LDAP server URI. Alternatively, you can run sudo dpkg-reconfigure ldap-auth-config for interactive editing.

PAM seems to be configured correctly. If not, it always can be fixed by interactive utility pam-auth-update.

Additionally, all the guides that you follow suggest you to install libnss-ldap implementation. If you are going to use the desktop version of Ubuntu, be aware that there are known issues between systemd-logind and libnss-ldap. The solution is to use the newer package libnss-ldapd. See this answer for details.