In the past, to authenticate my users against an AD server, I have copied my working ldap.conf to a newly built server, added ldap to the shadow line of my nsswitch.conf file, and then quickly checked "Enable LDAP Authentication" in system-config-authentication to enable ldap authentication for local users with UID >=500. I just installed F13 on a test server and am surprised to see that system-config-authentication is very different. It appears to require you to enable LDAP user accounting before allowing for LDAP authentication. It also appears to require an ldaps or tls connection to an LDAP authority when attempting LDAP authentication. I have two questions. First I need a way to get ldap authentication set up quickly, and without tls or ssl. I am sure there is a legacy command I can run to get this enabled (I tried, for example, authconfig --enableldapauth --update). Second if anyone has a good link with a site that gives a crash course in sssd so that I can become familiar with the "right" way to set up LDAP authentication given the new paradigm, that would also be helpful.
Update: I am playing with using the new system-config-authentication and ldaps://. I then removed sss from the passwd and group lines in nsswitch and just left it for shadow. I am not having a lot of luck with this and /var/log/secure is not helping a lot. It looks like it fails unix_chkpwd, which makes me wonder if it is trying to auth through sss at all.
---------- Post added at 02:35 PM CDT ---------- Previous post was at 08:50 AM CDT ----------
Ok I discovered my problem. For posterity here is how I got it working:
Configure /etc/ldap.conf with your AD server information
Configure /etc/nsswitch.conf to use "shadow: files ldap"
run authconfig --enableldapauth --disablesssd --disablesssdauth --update
double-check the settings in BOTH /etc/pam.d/system-auth and /etc/pam.d/password-auth
I had never seen the password-auth file before and it was messing me up.