This works for Centos 6 and 7!
# yum install sssd openldap-clients
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
# scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/
# cacertdir_rehash /etc/openldap/cacerts/
# authconfig \ --disablesmartcard \ --disablefingerprint \ --enablesssd \ --enablesssdauth \ --enablelocauthorize \ --disablemd5 \ --passalgo=sha512 \ --enablepamaccess \ --enableldap \ --enableldapauth \ --disableldaptls \ --ldapserver=ldaps://ldap.yourdomain.tld:636 \ --ldapbasedn=dc=domain,dc=tld \ --enablemkhomedir \ --disablecachecreds \ --disablekrb5 \ --disablekrb5kdcdns \ --disablekrb5realmdns \ --krb5kdc=" #" \ --updateall
# vim /etc/sssd/sssd.conf [domain/<domain name like 'default' or 'LDAP'] ... ldap_default_bind_dn = cn=...,ou=... ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit ldap_default_authtok = <your bind dn password> ...
# systemctl enable sssd # systemctl start sssd Check if symlink has been created in: /etc/openldap/cacerts # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # getent -s sss passwd <username> # getent -s sss group <groupname> # id -a <username>
sss_cache -E