Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production! The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally. {{{ [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = oit [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/oit] auth_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM ldap_search_base = o=Princeton University,c=US id_provider = ldap ldap_uri = ldap://ldap.princeton.edu/ krb5_kdcip = kerberos.example.com ldap_tls_cacertdir = /etc/pki/tls/certs min_id = 1 enumerate = true }}} Someone else once wrote this, but it no longer seems relevant as it disables sssd: For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run: authconfig --enableldapauth --ldapserver=ldaps://ldap.princeton.edu --ldapbasedn="o=Princeton University,c=US" --ldaploadcacert=file:///etc/pki/tls/certs/ca-bundle.crt --disablesssdauth --disablesssd --updateall --enableforcelegacy