Just a note : It is now working !! (after several hands of smashing my head against the desk)
In the end I disabled BINDDN and PASSWORD and set TLSEnable yes, and RequireGroup false
Below is a working config in case it helps anyone else...
Thanks @ Rob Crittenden for your help previously
-------------------------------- <LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN dc=morgan,dc=kvm
# Bind Password # Password "test_123"
# Network timeout (in seconds) Timeout 15
# Enable Start TLS TLSEnable yes
# Follow LDAP Referrals (anonymously) FollowReferrals yes
# TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs
# Client Certificate and key # If TLS client authentication is required #TLSCertFile /usr/local/etc/ssl/client-cert.pem #TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH #TLSCipherSuite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 </LDAP>
<Authorization> # Base DN #BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm" BaseDN "dc=morgan,dc=kvm"
# User Search Filter SearchFilter "(uid=%u)"
# Require Group Membership RequireGroup false
# Add non-group members to a PF table (disabled) #PFTable ips_vpn_users
<Group> BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm" SearchFilter "(cn=ipausers)" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization> -----------------------------------
freeipa-users@lists.fedorahosted.org