[SSSD-users] access_provider is completely ignored

I have sssd doing authentication through ldap and I actually have a working configuration that uses access_provider=ldap and ldap_access_filter and does the right thing on CentOS 6.4. On another system (CentOS 6.7) the exact same configuration does not work. Access is granted at all times no matter what. In fact, I can put in access_provider=deny, and access is still granted. Is there some dependency that I got right on the first system that is incorrect on this one? I can post logs if needed. Relevant info for non-working system: OS: CentOS 6.7 x86_64 sssd version: 1.12.4-47 (also tried 1.13.3 built from source) sssd.conf: [domain/ldap] ldap_schema = rfc2307 ldap_search_base = dc=DOMAIN id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = deny ldap_uri = ldaps://LDAP_SERVER1,ldaps://LDAP_SERVER2 cache_credentials = True ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] config_file_version = 2 services = nss, pam debug_level = 1 domains = ldap [nss] debug_level = 1 [pam] debug_level = 1 /etc/nsswitch.conf (relevant bits): passwd: sss files shadow: sss files group: sss files services: files sss netgroup: files sss ldap /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Thank you for any help, -JE