16.04 server: enabling LDAP authentication causes systemd-logind to fail

Had the same problem with my 16.04 desktop clients.

Finally resolved replacing the libnss-ldap package with libnss-ldapd.

Seems the same issue as in this bug report: https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475

EDIT: more info about these packages from the Debian wiki:

There are currently two packages available to configure NSS lookups through LDAP: the libnss-ldap package and the libnss-ldapd package. Which one to choose depends on the needs. In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex. Also libnss-ldap has some known issues with serving host information and lookups during boot which should be addressed in libnss-ldapd. In addition, libnss-ldap breaks setuid programs (su, sudo) when using LDAP+SSL

A way to prevent this problem is to make sure the nss_initgroups_ignoreusers parameter - in /etc/ldap.conf (or /etc/libnss-ldap.conf, depending on your system) - is populated with all the (local) users in /etc/passwd:

NSS_IGNOREUSERS="$(cut -d: -f1 /etc/passwd | sort | tr '\n' ',' | sed 's|,$||')"
sed -i "s|^nss_initgroups_ignoreusers.*|nss_initgroups_ignoreusers ${NSS_IGNOREUSERS}|" /etc/ldap.conf

This way, when the system boots and users/groups name services are queried to start the local services, no more 'nss_ldap: Can't contact LDAP server' will be issued (since the corresponding local user/group are ignored by NSS LDAP).

(this issue has been around for years, independently from systemd)