And... fwiw... /etc/sssd/sssd.conf: [sssd] services = nss,pam,ssh,autofs config_file_version = 2 domains = example.co.uk [pam] [domain/example.co.uk] debug_level = 3 cache_credentials = False id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = none ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=co,dc=uk ldap_uri = ldaps://pickle.example.co.uk/ ldap_access_filter = (|(memberOf=cn=DS_Admins,ou=groups,dc=example,dc=co,dc=uk)(memberOf=cn=DS_Users,ou=groups,dc=example,dc=co,dc=uk)) enumerate = false access_provider = ldap ldap_user_member_of = memberof ldap_user_gecos = uid ldap_user_uuid = nsUniqueId ldap_group_uuid = nsUniqueId ldap_account_expire_policy = rhds ldap_access_order = filter, expire ldap_user_ssh_public_key = nsSshPublicKey ignore_group_members = False [nss] homedir_substring = /home [ssh] debug_level = 3 [autofs]