See docs from ITS:
https://wiki.ncsa.illinois.edu/display/ITS/LDAP+Auth+for+RHEL+CentOS+6+Using+SSSD
apt-get update -y apt-get install sssd vi /etc/sssd/sssd.conf chmod 600 sssd.conf
[sssd] domains = ldap.ncsa.illinois.edu services = nss, pam config_file_version = 2 #debug_level = 9 [nss] filter_groups = root filter_users = root override_homedir = /home/%u override_shell = /bin/bash shell_fallback = /bin/bash reconnection_retries = 3 entry_cache_nowait_percentage = 75 [pam] [domain/ldap.ncsa.illinois.edu] enumerate = true id_provider = ldap auth_provider = ldap #min_id = 1000 cache_credentials = true entry_cache_timeout = 300 ldap_uri = ldaps://ldap.ncsa.illinois.edu ldap_search_base = dc=ncsa,dc=illinois,dc=edu ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_group_member = uniqueMember #ldap_group_search_base = ou=groups,dc=ncsa,dc=illinois,dc=edu #ldap_user_search_base = ou=people,dc=ncsa,dc=illinois,dc=edu #ldap_user_name = uid #ldap_user_object_class = inetorgperson access_provider = simple simple_deny_groups = all_disabled_usr simple_allow_groups = grp_nds
Add the following line to /etc/pam.d/sshd:
session required pam_mkhomedir.so umask=0022
Enable password authentication in /etc/ssh/sshd_config
ChallengeResponseAuthentication yes PasswordAuthentication yes
service sssd force-reload service sssd restart id <you>
Now, try ssh'ing into the instance.
Optionally, add users to local groups:
https://help.ubuntu.com/community/LDAPClientAuthentication#Assign_local_groups_to_users