Implemented Option 4 - Configure Authentication Method (SSH to Gateway with LDAP Users Support) 

Error Access Denied during SSH 

OpenLDAP using InterOrgPerson standard schema 

Gateway 11.x

The SSSD works with Active Directory out of the box, if you are using different LDAP (i.e. OpenLDAP) need additional configuration of the /etc/ssd.conf to find/authenticate/authorization for different custom attributes

ALSO need to verify user object has the groups listed for attribute memberOf 

How to config:

Step1: Need to find the user for authenticate/authorize. There are two approaches: group access or attribute based access.  This KB is specific for group access

/etc/sssd.conf parameter ldap_user_search_base is used to find the user and membership of group

How to find the user and include the memberOf for the group to allow access.  Need to modify /etc/sssd.conf change the search to include memberOf

example:

ldap_user_search_base = <user_search_base>?subtree?(memberOf=APIM_AccessGRP)

Sample user object with memberOf populated:

objectClass: top, person, organizationalPerson, inetOrgPerson

UID: <user16>

EmployeeNumber: 6116

memberOf:  cn=<APIM_GroupGRP>,<groups_baseDN>

GROUP object: APIM_AccessGRP

objectClass: top, groupOfUniqueNames

CommonName: <APIM_GroupGRP>

Members: uid=user16,<user_baseDN>

dn: cn=<APIM_GroupGRP>,<groups_baseDN>

Step2: sssd.conf the parameter ldap_user_uid_number MUST be attribute that equals a unique numeric value got the user needing access, similar requirement as User ID (UID) and Group ID (GID) it is used to create home folder and map account

example use attribute EmployeeNumber

ldap_user_uid_number = EmployeeNumber

OR recommend unused attribute provided by LDAP Admin then set to a value i.e. 1010