yum install pam_ldap nss-pam-ldapd sssd openldap-clients
mkdir -p /etc/openldap/cacerts cp caroot.crt /etc/openldap/cacerts/
authconfig-tui [*] Use LDAP [*] Use Shadow passwords [*] Use LDAP Authentication [*] Local authorization is sufficient [*] Use TLS Server: ldaps://<your server FQDN:636> Base DN: <your DN>
vi /etc/openldap/ldap.conf URI ldaps://<yourserver FQDN>:636/ BASE <your DN> TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
vi /etc/pam_ldap.conf base <your DN> uri ldaps://<yourserver>:636/ pam_password exop ssl start_tls tls_cacertdir /etc/openldap/cacerts
vi /etc/sssd/sssd.conf !Configure FQDN server names! ldap_chpass_uri = ldaps://<your ldap server FQDN> [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
service sssd restart
See if symlink exists in /etc/openldap/cacerts
ldapsearch -x -b "dc=<your DN>" getent passwd <username> getent group <groupname> id -a <username>
You can clear the passwd/group cache with
sss_cache -U -G