CentOS

After several attempts of OpenLDAP installation, I can su - user when logged in as root. But can't log in as LDAP user.

[root@beta ~]# su - testuser
Last login: Fri Jan 31 11:46:12 EST 2020 on pts/0
[testuser@beta ~]$

[root@beta ~]# getent passwd testuser
testuser:*1000:testuser:/st01/home/testuser:/bin/bash
[root@beta ~]#

ldapsearch returns the user ok.
[root@beta ~]# ldapsearch -x cn=testuser -b dc=lab,dc=server,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=server,dc=local> with scope subtree
# filter: cn=testuser
# requesting: ALL
#

# testuser, People, lab.server.local
dn: uid=testuser,ou=People,dc=lab,dc=server,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /st01/home/testuser
uid: testuser

# testuser, Group, lab.server.local
dn: cn=testuser,ou=Group,dc=lab,dc=server,dc=local
objectClass: posixGroup
cn: testuser
gidNumber: 1000
memberUid: testuser

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@beta ~]#

When I tried logging on as testuser, no success. What am I missing?
login as: testuser
testuser@beta.lab.server.local's password:
Access denied
testuser@beta.lab.server.local's password:

homeDirectory: /st01/home/testuser

You have a non-standard home directory location. Try running setenforce 0 to put selinux permissive and see if it then works. If it does then your problem is selinux related and you need to look at the audit log entries to see how to fix it. Run aureport -a and for each entry listed in the right timeframe, run ausearch -a nnnn where nnnn is the number at the righthand side of the aureport -a lines in question. I suspect you may need to use semanage to set up an equivalance rule to map /st01/home to /home so it behaves the same way.

Or it might be something completely different...

[root@beta ~]# su - testuser
Creating home directory for testuser.
[testuser@beta ~]$ pwd
/st01/home/testuser
[testuser@beta ~]$

Even though I use nfs share for /st01/home? This "setenforce 0" was done at from initial steps.

[root@beta ~]# aureport -a

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 02/05/2020 14:25:40 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 dbus send_msg system_u:system_r:modemmanager_t:s0 denied 151
[root@beta ~]# ausearch -a 151
----
time->Wed Feb 5 14:25:40 2020
type=USER_AVC msg=audit(1580930740.906:151): pid=2849 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg=' avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=:1.5 spid=13596 tpid=281 5 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:modemmanager_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostna me=? addr=? terminal=?'
----
time->Wed Feb 5 14:30:42 2020
type=PROCTITLE msg=audit(1580931042.912:151): proctitle="(ostnamed)"
type=SYSCALL msg=audit(1580931042.912:151): arch=c000003e syscall=272 success=yes exit=0 a0=40000000 a1=7fff0ddcbfe0 a2=fffffffffffffff5 a3=22 items=0 ppid=1 pid=5552 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/sys temd/systemd" key=(null)
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=nat family=10 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=mangle family=10 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=security family=10 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=raw family=10 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=mangle family=2 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=security family=2 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=raw family=2 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=filter family=10 entries=0
type=NETFILTER_CFG msg=audit(1580931042.912:151): table=filter family=2 entries=0
[root@beta ~]#

I saw this in slapd.log "connection_read(25): TLS accept failure error=-1 id=1030, closing"

What's the output from getsebool use_nfs_home_dirs ? If it's off, try setsebool -P use_nfs_home_dirs 1

[root@beta ~]# getsebool use_nfs_home_dirs
getsebool: SELinux is disabled
[root@beta ~]# setsebool -P use_nfs_home_dirs 1
setsebool: SELinux is disabled.
[root@beta ~]#

I noticed access being deiend once I to log in as the testuser

[root@beta oldap]# cat /var/log/slapd.log | grep denied
Feb 5 17:20:11 beta slapd[17233]: => slap_access_allowed: read access denied by auth(=xd)
Feb 5 17:20:11 beta slapd[17233]: => slap_access_allowed: read access denied by auth(=xd)
Feb 5 17:28:18 beta slapd[17233]: => slap_access_allowed: read access denied by auth(=xd)
Feb 5 17:28:18 beta slapd[17233]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 15:41:00 beta slapd[1880]: => slap_access_allowed: search access denied by none(=0)
Feb 6 16:20:34 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 16:20:34 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 16:20:38 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 16:20:38 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 16:37:06 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)
Feb 6 16:37:06 beta slapd[1880]: => slap_access_allowed: read access denied by auth(=xd)

My olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=lab,dc=server,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=lab,dc=server,dc=local" write by * read

I got it working. Disable sssd solved the issue.