I am running Centos 6.5 and installed the latest SSSD from the IPA repo, 1.11.90.

I've got it working to the point where I can run the 'id' command and it will return an LDAP user.  When I try to authenticate using SSH however I just get "Permission denied".   The SSSD log shows the bind is invalid, as if I'm using a bad password or bind DN.

(Tue Mar  4 15:20:29 2014) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set

On my LDAP server I see that it is returning err=49.

[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - fd=520 slot=520 LDAPS connection from to
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - SSL 128-bit RC4
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - BIND dn="uid=ACCOUNT,ou=People,dc=here,dc=com" method=128 version=3
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=2 - UNBIND
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=-1 - closing - U1
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - closed.

I've tested over and over and I know I'm using the correct password.  Tried multiple accounts all with their correct passwords and get the same result.

I'm not using TLS, just LDAPS on port 636.  Could it be that SSSD is using RC4 encryption and our LDAP server doesn't support RC4?  Just not sure where else to go with this.

This is my SSSD config. 


auth_provider = ldap
cache_credentials = True
chpass_provider = ldap
entry_cache_timeout = 600
enumerate = false

id_provider = ldap

ldap_id_use_start_tls = False

ldap_schema = rfc2307bis
ldap_search_base = dc=here,dc=com

ldap_user_search_base = ou=people,dc=here,dc=com
ldap_user_object_class = myObjClass
ldap_user_name = uid

ldap_group_seach_base = ou=groups,dc=here,dc=com
ldap_group_object_class = groupofuniquenames
ldap_page_size = 100

ldap_uri = ldaps://ldap.here.com:636
debug_level = 9

ldap_default_bind_dn = cn=BINDUSER,ou=applications,dc=here,dc=com
ldap_default_authtok = XXXXXXXX

ldap_network_timeout = 3

ldap_tls_cacertdir = /etc/openclad/cacert
ldap_tls_reqcert = never

ldap_access_filter = (department=My Department)

config_file_version = 2
services = nss, pam
domains = LDAP

filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd