[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation



--On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller <heller@deepsoft.com> wrote:

At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com>
wrote:


--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
<heller@deepsoft.com> wrote:


> Slapd is reporting TLS Negotiation failure when SSSD tries to connect
> to it.   For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess
> something is  wrong with slapd's TLS configuration -- it is failing to
> do TLS Negotiation,  either it is just not doing it or it is doing it
> wrong (somehow).  Unless SSSD  is not configured properly.

You need to start with the following:

>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w

to test startTLS

and

ldapwhoami -x -H ldaps://myhost:636 -D binddn -w

to test without startTLS

If you can get those to work, then you can move on to SSSD.

[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D
cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11)
       additional info: TLS error -8157:Certificate extension not found.

This may be of help: <https://serverfault.com/questions/640910/my-certificate-doesnt-work-on-all-machines>

[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D
cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

This may mean slapd isn't listening on port 636 (With no -d -1 info, hard to know for sure). It may also simply be a different manifistation of the error above.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>