Setup LDAP authentication on CentOS 6 with SSSD

To install LDAP authentication on CentOS 6 (with SSSD)

yum install sssd

To get the TLS/SSL cert:

cd /etc/sssd
sftp *389 directory server/cert directory*
mget cacert.asc
chown nobody:nobody cacert.asc

Configuring NSS Services to Use SSSD

# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:

# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.

# authconfig --update --enablesssd --enablesssdauth

Configure sssd.conf:

vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/sssd/cacert.asc
debug_level = 9
access_provider = ldap
ldap_access_filter = host=r65-2.local

The last 2 sentences are for Host-Based Access Control (eg old config=>pam_check_host_attr), if you are not using this feature, you can omit these.

Restart sssd and the machine can login using LDAP:

chmod 600 /etc/sssd/sssd.conf
service sssd restart