I can su as an [open]ldap user on an sssd, but I can't ssh or login directly as the same user, what am I missing?

On sssd client

authselect select sssd --force
systemctl enable --now sssd

[root@ldap-sssd ~]# id adam
uid=16859(adam) gid=100(users) groups=100(users)
[root@ldap-sssd ~]# su adam
bash-4.4$ su adam
Password:
su: Authentication failure
bash-4.4$

If I run

sssctl user-checks adam

I see this

user: adam
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: adam
 - user id: 16859
 - group id: 100
 - gecos: adam
 - home directory: /home/adam
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: adam
 - uidNumber: 16859
 - gidNumber: 100
 - gecos: adam
 - homeDirectory: /home/adam
 - loginShell: /bin/bash

testing pam_acct_mgmt

pam_acct_mgmt: Permission denied

PAM Environment:
 - no env -

on ldapmaster I confirm the password is correct

ldapsearch -x -H ldap://ldapmaster \
      -D uid=adam,ou=Users,DC=srv,DC=world \
      -w 1234 \
      -b uid=adam,ou=Users,DC=srv,DC=world \
      -s base \
        "(objectclass=*)"       

[root@ldapmaster ~]# clear
      -s base     "(objectclass=*)"4       -b uid=adam,ou=Users,DC=srv,DC=world
# extended LDIF
#
# LDAPv3
# base <uid=adam,ou=Users,DC=srv,DC=world> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# adam, Users, srv.world
dn: uid=adam,ou=Users,dc=srv,dc=world
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9OVcvdStLUTM3Y1F2dE5hVGR2WktuSDZSMm0zRGlUckw=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

sssd client configs

nsswitch.conf

[root@ldap-sssd ~]# grep "^[^#;]" /etc/nsswitch.conf
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     files sss
hosts:      files dns myhostname
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

ldap.conf

[root@ldap-sssd ~]# grep "^[^#;]" /etc/openldap/ldap.conf
BASE    dc=srv,dc=world
URI     ldap://ldapmaster
SASL_NOCANON    on
URI ldap://ldapmaster
BASE dc=srv,dc=world

sssd.conf

[root@ldap-sssd ~]# grep "^[^#;]" /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=srv,dc=world
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster
ldap_default_bind_dn = cn=Manager,ou=Users,dc=srv,dc=world
ldap_default_authtok_type = password
ldap_default_authtok = 1234
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = ((objectClass=posixAccount))

ldapmaster setup script

#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man --nobest
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
systemctl start slapd 
systemctl enable slapd
cat <<EOF > chrootpw.ldif 
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=srv,dc=world

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=srv,dc=world

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section

dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Srv

dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Users,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Groups,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Groups

EOF
ldapadd -x -w 1234 -D cn=Manager,dc=srv,dc=world -f basedomain.ldif
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=ldap --permanent 
firewall-cmd --reload

cat <<EOF > adam.ldif
dn: uid=adam,ou=Users,dc=srv,dc=world
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: 1234
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w 1234 -D "cn=Manager,dc=srv,dc=world" -f adam.ldif
ldappasswd -s 1234 -w 1234 -D "cn=Manager,dc=srv,dc=world" -x "uid=adam,ou=Users,dc=srv,dc=world"

Reference guides

https://www.server-world.info/en/note?os=CentOS_7&p=openldap

https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/