Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

["Dieter Kluenter" <dieter@dkluenter.de>]

Robert Heller <heller@deepsoft.com> writes:

> OK, I have narrowed things down to slapd and sssd not playing nice with each 
> other.  slapd is able to listen on ldaps (port 636) and accept SSL connections 
> (eg from openssl s_client and other applications using straight SSL).  slapd 
> will also listen on ldap (port 389), but refuses to negotiate a TLS connection 
> on port 389.  It also refuses to negotiate TLS connection on port 636.  sssd 
> seems to *insist* on negotiating a TLS connection on port 636 or port 389 and 
> won't just connect using ssl to port 636.  (At least that is what I *think* is 
> going on.)
>
> So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, 
> or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
>
> How the hell do I get that to happen?
[...]

These are two differnt ports and methods to connect. On port 389 a
client initiates a secured session by calling startTLS extended
operation. While on port 636 the server requests a secured session.
Check your init script, or systemctl service script, whether ldap:/// or
ldaps:// is initiated, or both.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E