Hi all,

I've been struggling to setup a centralized authentication system for quite some time. It is composed by:
 - openldap 2.4.43, with TLS self-signed certs (root chain is ok): ldaps://serv;
 - pam 1.2.1; pambase 20150213;
 - sssd 1.13.1;
 - openssh 7.1.

Currently I'm trying to authenticate a LDAP user in the server that hosts openldap.
ldapsearch -x shows me stuff correctly, with TLS working. If I try to connect through the command-line, the logs show sssd getting stuff from openldap with success. But, login fails:
<log>
login[xxxx]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_a
login[xxxx]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
</log>

Also, id user_a fails, getent passwd user_a fails. Have no idea what may be wrong (if sssd, ldap DB, whatever).

sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = LDAP
debug_level = 4

[nss]

[pam]
  debug_level = 5

[domain/LDAP]
  debug_level = 4
  id_provider = ldap
  auth_provider = ldap
  access_provider = ldap
  cache_credentials = false

  ldap_uri = ldaps://server
  ldap_schema = rfc2307
  ldap_search_base = dc=casa,dc=lan

  ldap_id_use_start_tls = true
  ldap_tls_cacert = /etc/openldap/ssl/cacert.pem
  ldap_tls_cacertdir = /etc/openldap/ssl
  ldap_tls_reqcert = demand
  tls_reqcert = demand

  ldap_user_search_base = ou=People,dc=casa,dc=lan
  ldap_user_home_directory = homeDirectory
  ldap_user_shell = loginShell
  ldap_group_search_base = ou=Group,dc=casa,dc=lan
  ldap_access_filter = memberOf=ou=People,dc=casa,dc=lan

  # Leave this as password
  ldap_default_authtok_type = password


system-auth
auth            required        pam_env.so
auth            sufficient      pam_unix.so nullok try_first_pass
#auth           requisite       pam_succeed_if.so uid >= 500 quiet
auth            sufficient      pam_sss.so use_first_pass
auth            required        pam_deny.so

account         required        pam_unix.so
account         sufficient      pam_localuser.so
#account                sufficient      pam_succeed_if.so uid < 500 quiet
#account                [default=bad success=ok user_unknown=ignore] pam_sss.so
#account                [default=bad success=ok] pam_sss.so
account         sufficient       pam_sss.so
account         required        pam_permit.so


nsswitch.conf
passwd:      compat sss
shadow:      compat sss
group:       compat sss

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Thanks in advance!