Unfortunately, that didn't solve the issue. sssd.conf is now configured with an
authenticated bind, authentication phase still passes for the user, but access phase is
still failing with the same filter error. Using the exact filter shown in the logs works
fine from ldapsearch, however.
$ ldapsearch -x -LLL -b "dc=ipa,dc=domain,dc=com" -H
ldap://ussv4p6004.ipa.domain.com
"(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))"
-D "uid=admin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" -W
Enter LDAP Password:
dn: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
memberOf: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
memberOf: cn=users,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
<etc>
Back to the drawing board.