I have SSSD installed on RHEL 5.7. Everything looks to be configured correctly. When I do an ldapsearch I get a good return.It is the 1.5.1-49.el5.x86_64 version of the package. However, when I do a getent passwd uid I get no return even though the ldapsearch clearly shows the uid is there. Obviously it won't let the user log on either...hoepfully somebody has seen this.
When I look at the log files, this is what I am seeing:
sssd_nss.log
[sssd[nss]] [sss_dp_init] (0): Failed to connect to monitor services [sssd[nss]] [sss_process_init] (0): fatal error setting up backend connector
sssd_pam.log
[sssd[pam]] [sss_dp_init] (0): Failed to connect to monitor services [sssd[pam]] [sss_process_init] (0): fatal error setting up backend connector
sssd.log
[sssd] [monitor_quit] (0): Monitor received Terminated: terminating children
sssd_LDAP.log
[sssd[be[LDAP]]][sdap_service_init] (0): Failed to parse ldap URI (ldap://SERVER NAME ldap://IP ADDRESS)! [sssd[be[LDAP]]] [load_backend_module] (0): Error (22) in module (ldap) initialization (sssm_ldap_id_init)! [sssd[be[LDAP]]] [be_process_init] (0): fatal error initializing data providers [sssd[be[LDAP]]] [main] (0): Could not initialize backend (22)

Thanks in advance for any assistance you may be able to provide

Can you post your ldapsearch command?

Can you also post you sssd.conf file?

"SERVER NAME"

Any chance this is a name issue? Are you using ip address to access ldap?

It shouldn't be, I have tried it both ways. With both addresses, with just the IP, and with just the server name. The results are similar. With just the name it tries for a while, but gets no where. With the IP, it fails right away. /var/log/secure shows the failed authentication if the IP is in that field but not if it is just the server name. The entry is not only in /etc/hosts but also in teh DNS server and everything resolves perfectly.

ldapsearch doesn't use the sssd.conf file it uses the ldap.conf file. It returnes the domain, the one host I have in there now and the one user. So that seems successful, the server does answer queries.
My sssd.conf file is below, though just so you know it has been sanitized to remove sensitive information.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]

# Example LDAP domain
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307
ldap_uri = ldap://SERVERNAME ldap://IP ADDRESS
ldap_search_base = dc=prod,dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/slapd-cert.pem
ldap_tls_cacertdir = /etc/pki/tls/certs/
ldap_default_bind_dn = cn=admin,dc=prod,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = supersecret

# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM

Here's your problem. You need to have these comma-separated, not space-separated. It's trying to contact a server called "SERVERNAME ldap://IP ADDRESS", rather than one called "SERVERNAME" and a second called "IP ADDRESS".

That is what the gentleman from Red Hat told me as well, though when I did that it still wouldn't work. The fix I found was simple...after several days of troubleshooting with Red Hat, googling...you name it, I switched to SSL instead of StartTLS, and it magically started working. I don't know if there are issues between StartTLS and SSSD or if there was a misconfiguration (totally possible) but I am happy to use SSL. I appreciate your input.
Thanks!

I'd like to see the logs you get when using the comma-separated list and TLS. If TLS didn't work, but LDAPS does, it suggests to me that your LDAP server might just not support STARTTLS. But in case it is an SSSD issue, I'd like to track it down.

p.s. I'm the SSSD development lead.

I have the zipped file I had sent to Red Hat, and I would be willing to send that to you. However it may have sensitive information...so I am willing to email it to you, but not post it here. If that is ok with you, let me know which address to send it to.
Thanks!

You can email me at sgallagh (at) redhat (dot) com. Let's see what we can find.

I have sent you the SOS report that had the other config files and the zipped sssd as well that should have the conf file and the log files from the /var/log/sssd. Thanks much and let me know if you find anything...I am not ruling out user error, I haven't been a Linux admin for long.