diff --git a/group_vars/all b/group_vars/all
index db52d50..efa8002 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -4,16 +4,16 @@ ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de
-ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
+ldap_binddn: cn=Services,ou=roles,dc=binary-kitchen,dc=de
 ldap_bindpw: svcpwd
 
 mail_domain: binary-kitchen.de
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 
-nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=Users,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=Users,dc=binary-kitchen,dc=de
+nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
+nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
+nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
 
 ntp_servers:
 - 172.23.1.61
diff --git a/roles/ldap-pam/files/nsswitch.conf b/roles/ldap-pam/files/nsswitch.conf
new file mode 100644
index 0000000..8f60129
--- /dev/null
+++ b/roles/ldap-pam/files/nsswitch.conf
@@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+gshadow:        files
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
diff --git a/roles/ldap-pam/handlers/main.yml b/roles/ldap-pam/handlers/main.yml
index 4a33fdd..0dea959 100644
--- a/roles/ldap-pam/handlers/main.yml
+++ b/roles/ldap-pam/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
 
+- name: Restart nscd
+  service: name=nscd state=restarted
+
 - name: Restart nslcd
   service: name=nslcd state=restarted
 
diff --git a/roles/ldap-pam/tasks/main.yml b/roles/ldap-pam/tasks/main.yml
index 6f25beb..67d3513 100644
--- a/roles/ldap-pam/tasks/main.yml
+++ b/roles/ldap-pam/tasks/main.yml
@@ -9,6 +9,11 @@
   notify: Restart nslcd
   tags: ldap
 
+- name: Configure nsswitch
+  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
+  notify: Restart nscd
+  tags: ldap
+
 - name: Configure PAM mkhomedir
   copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
   notify: Update pam-auth
diff --git a/roles/ldap-server/templates/slapd.conf.j2 b/roles/ldap-server/templates/slapd.conf.j2
index f6c1169..9472735 100644
--- a/roles/ldap-server/templates/slapd.conf.j2
+++ b/roles/ldap-server/templates/slapd.conf.j2
@@ -51,6 +51,7 @@ access to attrs=userPassword
 	by * none
 access to attrs=loginShell
 	by self write
+	by users read
 	by * none
 access to *
 	by self read