RSS feed

RE: Why does nslcd require LDAP user entry objectClass=posixAccount?

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: Why does nslcd require LDAP user entry objectClass=posixAccount?

Unfortunately, it's not an option for us to change LDAP user schema.  We have to support/use an external LDAP database where we cannot extend their schema to add objectClass=posixAccount to their existing user entries.   Can we use

map passwd uidNumber employeenumber

in nslcd.conf to get around this problem?  Or is there an objectclass mapping that we can set up to map objectclass=posixAccount to objectclass=inetOrgPerson?

inetOrgPerson is one of the objectClass that they use for the user entries, and employeenumber comes from inetOrgPerson.

It makes no sense to require all LDAP user entries to use objectClass=posixAccount when the users are not unix-based and posixAccount attributes like loginShell do not make sense.

What do you think? would the attribute map above work?  Thanks!!

Date: Wed, 8 Apr 2015 20:24:45 -0600
Subject: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?

What LDAP server are you using... pretty much all of them support extending the schema for PosixAccount, ShadownAccount and PosixGroup objectClasses. 

If AD is the LDAP provider then you would look at: 

If OpenLDAP it should already be available within the schema:

On Wed, Apr 8, 2015 at 8:06 PM, Shimin <smqian [at]> wrote:

I am working on a project to support LDAP user authentication.  I encounter this problem when configuring pam_ldap module  to authenticate LDAP user where nslcd appears to require posixAccount attributes for LDAP users.  Otherwise, I get errors such as: “passwd entry <xxxx> does not contain uidNumber value”. 


None of my LDAP user entries has “objectClass=posixAccount”, therefore, it does not have uidNumber attribute nor gidNumber, loginShell etc.   I imagine there has to be a config setting where I can get around this…  I already have


filter passwd (objectClass=person)


in nslcd.conf.  What else do I have to change so that nslcd won’t require posixAccount attributes like uidNumber?


I have been struggling with this for two days and I am really pulling my hair out trying to get this to work without having to add posixAccount to my user entries.  Please help!!  

To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] or see

Todd Grayson
Customer Operations Engineering

-- To unsubscribe send an email to or see
To unsubscribe send an email to or see