SLES12, Authentication with PAM and LDAP

Question

I want to set up an ssh-server which can authenticate against a ldap-server. The ldap-server is already running (openldap). Now I've installed a fresh SLES12SP1-Server and followed some tutorials for setting up the pam module, but sles is rarely used.

My installation steps are:
-install "pam_ldap" & "nss_ldap"
-modify file "/etc/ldap.conf", set ldap-server and search-base

 host XXX.XX.XX.XX
 base dc=XXXX,dc=de

-modify file "/-/etc/nsswitch.conf"

shadow: files ldap
passwd: files ldap
group:  files ldap

-modify "/etc/pam.d/sshd" and add the ldap-entries

#%PAM-1.0
auth     required       pam_unix2.so
auth     sufficient     pam_ldap.so debug

account  required       pam_unix2.so
account  sufficient     pam_ldap.so debug

password required       pam_pwcheck.so
password sufficient     pam_ldap.so      use_authtok debug
password required       pam_unix2.so      use_first_pass use_authtok

session  required       pam_unix2.so
session  required       pam_limits.so
session  required       pam_env.so

Thats all, now I should be able to get the ldap users with

getent passwd XXX

But I get no results, ldapsearch works and I get the users. The ldap-server is reachable. Did I forget something oder make a mistake? Working on this problem all of the day and find no fix. It doesn't seem so complicated.

Here are the logs, if this helps:

LDAP-Server, messages:

2016-07-26T15:25:51.248330+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SRCH base="dc=XXX,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ldaptest))"
2016-07-26T15:25:51.249119+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
2016-07-26T15:25:51.249381+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (objectClass) not indexed
2016-07-26T15:25:51.249646+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (objectClass) not indexed
2016-07-26T15:25:51.249905+02:00 LDAPServ slapd[2913]: <= bdb_equality_candidates: (uid) not indexed
2016-07-26T15:25:51.250205+02:00 LDAPServ slapd[2913]: conn=1338 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

SSH-Server, nscd

Tue Jul 26 15:25:51 2016 - 2551: handle_request: request received (Version = 2) from PID 2580
Tue Jul 26 15:25:51 2016 - 2551:    GETFDPW
Tue Jul 26 15:25:51 2016 - 2551: provide access to FD 8, for passwd
Tue Jul 26 15:25:51 2016 - 2551: handle_request: request received (Version = 2) from PID 2580
Tue Jul 26 15:25:51 2016 - 2551:    GETPWBYNAME (ldaptest)
Tue Jul 26 15:25:51 2016 - 2551: Haven't found "ldaptest" in password cache!
Tue Jul 26 15:25:51 2016 - 2551: add new entry "ldaptest" of type GETPWBYNAME for passwd to cache (first)
Tue Jul 26 15:26:11 2016 - 2551: pruning passwd cache; time 1469539571
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "0", timeout 1469539696
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "ldaptest", timeout 1469539571
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "51", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "nobody", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "root", timeout 1469539696
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYUID entry "65534", timeout 1469539906
Tue Jul 26 15:26:11 2016 - 2551: considering GETPWBYNAME entry "postfix", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: pruning passwd cache; time 1469539586
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "0", timeout 1469539696
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "ldaptest", timeout 1469539571
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "51", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "nobody", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "root", timeout 1469539696
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYUID entry "65534", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: considering GETPWBYNAME entry "postfix", timeout 1469539906
Tue Jul 26 15:26:26 2016 - 2551: remove GETPWBYNAME entry "ldaptest"
Tue Jul 26 15:26:26 2016 - 2551: freed 216 bytes in passwd cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETFDPW
Tue Jul 26 15:26:43 2016 - 2551: provide access to FD 8, for passwd
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETFDGR
Tue Jul 26 15:26:43 2016 - 2551: provide access to FD 10, for group
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETPWBYUID (4)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "4" in password cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "4" of type GETPWBYUID for passwd to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "lp" of type GETPWBYNAME for passwd to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETGRBYGID (7)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "7" in group cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "7" of type GETGRBYGID for group to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "lp" of type GETGRBYNAME for group to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETPWBYUID (9)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "9" in password cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "9" of type GETPWBYUID for passwd to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "news" of type GETPWBYNAME for passwd to cache
Tue Jul 26 15:26:43 2016 - 2551: handle_request: request received (Version = 2) from PID 2593
Tue Jul 26 15:26:43 2016 - 2551:    GETGRBYGID (13)
Tue Jul 26 15:26:43 2016 - 2551: Haven't found "13" in group cache!
Tue Jul 26 15:26:43 2016 - 2551: add new entry "13" of type GETGRBYGID for group to cache (first)
Tue Jul 26 15:26:43 2016 - 2551: add new entry "news" of type GETGRBYNAME for group to cache

SSH-Server, messages

2016-07-26T15:29:35.444271+02:00 SSHServ sshd[2612]: Invalid user ldaptest from XXX.XXX.XXX.XXX
2016-07-26T15:29:35.448138+02:00 SSHServ sshd[2612]: input_userauth_request: invalid user ldaptest [preauth]
2016-07-26T15:29:35.453752+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:37.372348+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive/pam for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:40.240791+02:00 SSHServ sshd[2614]: pam_ldap: error trying to bind as user "cn=ldaptest,o=XXXX,dc=XXX,dc=de" (Invalid credentials)
2016-07-26T15:29:40.244404+02:00 SSHServ sshd[2612]: error: PAM: User not known to the underlying authentication module for illegal user ldaptest from XXX.XXX.XXX.XXX
2016-07-26T15:29:40.244980+02:00 SSHServ sshd[2612]: Failed keyboard-interactive/pam for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2
2016-07-26T15:29:40.248708+02:00 SSHServ sshd[2612]: Postponed keyboard-interactive for invalid user ldaptest from XXX.XXX.XXX.XXX port 59483 ssh2 [preauth]
2016-07-26T15:29:41.929544+02:00 SSHServ sshd[2612]: error: Received disconnect from XXX.XXX.XXX.XXX: 13: Unable to authenticate [preauth]