getent problems

[doitt]

I just set up my first centos 7 server. I’m using pam and netgroups to allow only a certain number of people to log into the server.
My problem is with getent. When I issue the getent passwd, I am getting a list of EVERYONE listed in the BASE (from the openldap/ldap.conf file).
I thought that getent would only return the people listed in the netgroup. I do NOT want everyone in this list to be able to log in to my server.

What’s even stranger: If I remove the netgroup from /etc/passwd and do a getent passwd, I still get the same list of people.

I have nlscd, pam ldap and openldap installed. I’m using nssswtich.conf as follows:

passwd: files ldap
group: files ldap
ethers: files
netmasks: files
networks: files dns
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: files
passwd_compat: ldap

I added my netgroup to /etc/passwd: +@zvmaio::::::

When I enter “getent netgroup zvmaio” is responds with the netgroup name, none of the entries in the netgroup.