REMOVE SSSD:
If you're on RHEL 6 or CentOS 6, you should first remove sssd.
yum remove sssd
yum remove sssd-client
LINUX SETUP:
authconfig --enableldap --enableldapauth --enablelocauthorize --ldapserver=ldapserver1,ldapserver2,ldapserver3 --ldapbasedn="ou=blah,dc=example,dc=com" --update
OR
authconfig-tui
CONFIRM NSSWITCH.CONF:
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
If it reads anything other than "files ldap", you did something wrong.
FINAL CONFIGURATION:
/etc/pam_ldap.conf or /etc/ldap.conf (depending on version):
host ldapserver1 ldapserver2 ldapserver3
base ou=blah,dc=example,dc=com
binddn username@example.com ... this is a non-privileged user ... not an admin
bindpw type_username's_password
timelimit 120
bind_timelimit 120
bind_policy soft
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5
Comment out the lines below in the file:
uri ldap://ldapserver1/ ldap://ldapserver2/ ldap://ldapserver3/ (not needed)
ssl no (not needed)
tls_cacertdir /etc/openldap/cacerts (not needed)
Final note, others have edited the file /etc/sysconfig/authconfig and modified the FORCELEGACY to yes, but I didn't need to.
