No, my password doesn't have 13 characters. I did notice that no matter what I typed, the authtok size was always 13.
>You PAM configuration is a bit unusual,
>because you have pam_sss first and the
>pam_unix. Can you try to switch the order?
I changed my pam configuration. Also, I removed the 'access_provider' and 'ldap_access_filter' options just in case. I also tried changing from 'ldaps' to 'ldap + start_tls'. None of these seemed to fix the problem. I have a ton of log output from sssd and my ldap server, would it help if I posted some of the output?
On the ldap server side, I don't see any errors that are out of the ordinary. I believe when it is reading password policy objects I see some errors on the server side saying:
......INC
0030: 4f 52 52 45 43 54 a0 1d 30 1b 04 19 31 2e 33 2e ORRECT..0...1.3.
0040: 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 6.1.4.1.42.2.27.
0050: 38 2e 35 2e 31 8.5.1
But I have removed password policy before and seen no improvements.
>return code 49 (0x31 LDAP_INVALID_CREDENTIALS)
>is return only if there is problem with certificate.
I agree that it could be a certificate problem, but the server side doesn't seem to display any errors about certificates and sssd doesn't complain (other than the error 49). I am able to use the same certificates with ldapsearch. I changed both the client and server side to demand certificates (ldap.conf and slapd.conf) and ldapsearch still works. I am fairly confident in the certificates that I made today. I followed this tutorial (
http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates) and made a CA and then signed two certificates with that CA.