# yum install sssd openldap-clients

# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt

No cliente:

# mkdir /etc/openldap/cacerts
# scp ldap-master-01.exemplo.org:/tmp/ca.crt /etc/openldap/cacerts/

# cacertdir_rehash /etc/openldap/cacerts/

# authconfig \
> --disablesmartcard \
> --disablefingerprint \
> --enablesssd \
> --enablesssdauth \
> --enablelocauthorize \
> --disablemd5 \
> --passalgo=sha512 \
> --enablepamaccess \
> --enableldap \
> --enableldapauth \
> --disableldaptls \
> --ldapserver=ldaps://ldap-master-01.exemplo.org:636 \
> --ldapbasedn=dc=exemplo,dc=org \
> --enablemkhomedir \
> --disablecachecreds \
> --disablekrb5 \
> --disablekrb5kdcdns \
> --disablekrb5realmdns \
> --krb5kdc=" #" \
> --updateall

# systemctl enable sssd
# systemctl start sssd

# ldapwhoami -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W
Enter LDAP Password: 
dn:cn=Manager,dc=exemplo,dc=org

# ldapsearch -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=exemplo,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# exemplo.org
dn: dc=exemplo,dc=org
dc: exemplo
objectClass: top
objectClass: domain
 
# Usuarios, exemplo.org
dn: ou=Usuarios,dc=exemplo,dc=org
ou: people
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
 
# Grupos, exemplo.org
dn: ou=Grupos,dc=exemplo,dc=org
ou: groups
ou: Grupos
objectClass: top
objectClass: organizationalUnit
 
# search result
search: 2
result: 0 Success
 
# numResponses: 4
# numEntries: 3

Para desabilitar consultas anônimas

# vim /etc/sssd/sssd.conf

[domain/<domain name like 'default' or 'LDAP']
...
ldap_default_bind_dn = cn=...,ou=...
ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit
ldap_default_authtok = <your bind dn password>

Consultar usuário:

# getent -s sss passwd <username>
# getent -s sss group <groupname>
# id -a <username>