On 05/06/2015 07:24 AM, Ulrich Hiller wrote: > > Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks > like this: Looks good. > My /etc/openldap/ldap.conf is this: OK, but that file isn't used for name service or authentication. Mostly just the openldap tools (ldapsearch, ldapadd, ldapmodify). > The sssd.conf is this: ... > [nss] > filter_groups = root > filter_users = root nitpick: those are the defaults. Probably don't need to set them. > [domain/default] > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/ssl/certs > ldap_tls_reqcert = never Not sure about that setting. "allow" is probably what you want if you're using starttls. > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host ... > When i stop the sssd deamon, no login at all is possible. OK. Remember that previously you had both sssd and ldap configured to provide user information. You'll want to watch the logs for more information. Start by determining whether the problem is in the name service or authentication step. Use "id <user>" or "getent passwd <user>" to determine whether user information is available through sssd. If it is not, then you probably want to start paring out settings that you added (assuming that you started with a file written by authconfig) until that's working. If user data is available, then start looking at your pam configuration. It looks like you made some changes there, and not all of them make sense. In the auth stack, you're calling pam_unix.so twice. Remove the last one. You've also marked pam_sss.so as required instead of sufficient, which is definitely wrong. On success of a "sufficient" module, processing stops. On success of a "required" module, processing will continue, and will reach pam_deny.so. See the man page for pam.conf for more information.