[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation



At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:

> 
> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller 
> <heller@deepsoft.com> wrote:
> 
> 
> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> > it.   For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess
> > something is  wrong with slapd's TLS configuration -- it is failing to do
> > TLS Negotiation,  either it is just not doing it or it is doing it wrong
> > (somehow).  Unless SSSD  is not configured properly.
> 
> You need to start with the following:
> 
> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
> 
> to test startTLS
> 
> and
> 
> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
> 
> to test without startTLS
> 
> If you can get those to work, then you can move on to SSSD.

[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W
ldap_start_tls: Connect error (-11)
       additional info: TLS error -8157:Certificate extension not found.
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
     
The certificate is from my own CA and I *think* I have things set up properly, 
but it is a openssl cert and I know that slapd (and sssd) are built with 
MozNSS.

ldap.conf contains:

TLS_CACERT /etc/openldap/certs/ca-cert.pem                                     
TLS_CACERTDIR /etc/openldap/certs                                             
TLS_REQCERT demand                                                             
 
and /etc/openldap/slapd.d/ contains:

olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
   
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
> 
>                                                                             
> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller@deepsoft.com       -- Webhosting Services