User is looked up using getpwent() call, which usually looks into /etc/passwd file, but depending on NSS configuration it may also look up the user from eg. LDAP database.
Most commonly used as user database. Many systems use shadow passwords nowadays so it doesn't usually work as password database. BSDs are an exception to this, they still set the password field even with shadow passwords.