Ldaplist will tell you if the user has an entry in the ldap database. It doesn t sort out the case where the user has also an entry in the /etc/passwd file though.

ldaplist passwd username

I am assuming that UID s that are "local" are in separate range from "LDAP". I m also assuming that nsswitch is configured to use files and ldap for passwd, shadow, and or group. The command getent should be present on GNU libc systems. I m going to assume that the local files databases are smaller than ldap source and so we will want to test the smaller and / or faster of the two sources.

if you wanted to determine if a given UID was present one of the databses you could run somthing similar to

$ getent --service=files passwd | grep 655

This could match the the default GID in the file so a more creative grep may be in order.

$ getent --service=files passwd | grep -e $.*:.*:655

If you are looking to turn this into a script-able item, then you will want to tack wc on the end to do integer testing.

$ getent --service=files passwd | grep -e $.*:.*:655 | wc -l

This should return 0 if not found, or 1 (or more) if found. We would only test one source because we are assuming that we are testing a valid UID and that it will be in the other source if its not in here.

Lastly, as long as you are using nsswitch you should be able to use any of the C Libraries that support this to check if they are valid. I don t have any first hand experience with them, but i would assume that you can pass an option like we did here to only use a specific source. Alternately you can use the same logic as above and just cat /etc/passwd. Assuming again that if they arn t in here they are in ldap.

It is not going to be easy. You can open the password file and look for them. If they aren t there, conclude LDAP. Unless, of course, it s NIS. Or Kerberos. If your version of Solaris has PAM you could read up on that to see if it has any relief to offer.

If you are using sss as part of the ipaclient package,

getent --service=sss passwd $USER | wc -l

will tell you if the user exists in the LDAP Database of the FreeIPA server.

I have no idea how to tell what credentials they used to actually authenticate, but it should be easier to just look them up in the LDAP database and see if they are there. I use the ldap_client utility to look people up all the time. You need to know the name of the ldap server, and a few other details. Check the man page for it. For example, if the user has a local account, and they are in LDAP, the passwords that get checked at login will depend on the system configuration.