Ldap, sss and usermod

I hope this is not a FAQ, I have searched extensively but could not find the answer. When using sssd in connection with LDAP, my setup works only 50%, or so. I can create users/groups, change passwords, log in, and enumaret users (getent passwd). Strangely, enumerating
groups (getent group) does not list groups stored in the ldap server. But the real issue is,

usermod -s ldap -D cn=xxx -g 100 testuser


usermod: Account `testuser’ does not exist.

There is no indication, usermod made any attempts to talk to sssd (running with debug 9) or LDAP (via wireshark).

Any suggestions what can go wrong here ?

(I am happy to add config files, but I am pretty sure this is a rather generic issue, as half of the tools have no problem finding the user).



useradd --service ldap -D cn=XXX testuer

According to man page, “-s” is short form of “–shell”, not “–service”.

Ups, I wass a little quick in writing my last post. Actually, the command line I use is

usermod -D cn=XXX --service ldap -g 100 testuser

While the command rejects incorrect servies (such as --service nonsense), it appears that the --service ldap (which is accepted) does not have much of an effect. Neither SSSD nor the remote LDAP server report any activity.


service ‘ldap’ requires libnss_ldap.so, which is provided by nss_ldap.

Unfortunately, service ‘sss’ is not supported by pwdutils, opened bugreport: Access Denied