Fedora 21 pam_sss authentication failure - permission denied

Question

We have configured a OpenLDAP server which is working fine. FreeBSD, Debian, and a WordPress plugin authenticate with no problems. We are configuring Fedora 21 with pam_sss, but we get the following error in /var/log/secure:

Mar  1 00:15:00 www sshd[1176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39  user={REDACTED}
Mar  1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39 user={REDACTED}
Mar  1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): received for user {REDACTED}: 6 (Permission denied)

getent passwd {REDACTED} returns

{REDACTED}:*:1000:500:{REDACTED (full user name)}:/home/users/{REDACTED}:

The command I ran the configure the client is

authconfig --enableldap --enableldapauth --ldapserver='ldap://{REDACTED (IP)}:389/' --ldapbasedn='dc={REDACTED},dc={REDACTED},dc=com' --enablemkhomedir --enableshadow  --update

We have searched online for information about this specific error (the combination of authentication failure and 6 (Permission denied)), but have not found any instances where it has been solved.

Answer 1

I found the solution to the problem. By running sssd -i -d 4 and trying to log in on a different console, I saw that START TLS was where the login failed. Apparently Red Hat and Fedora by default use TLS. The server does not have TLS (we don't have enough time right now). To disable TLS edit /etc/sysconfig/authconfig on the client machine and update FORCELEGACY=no to FORCELEGACY=yes.

Credit to http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/

(Thank you Andy for trying to help!)