[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

To: Robert Heller <heller@deepsoft.com>
Subject: Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
From: Paulm <paulm@tetrardus.net>
Date: Thu, 28 Sep 2017 13:05:28 -0700
Cc: Openldap Technical <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <20170928170817.DE268732A40@sharky3.deepsoft.com>
References: <20170928170817.DE268732A40@sharky3.deepsoft.com>
User-agent: NeoMutt/20170306 (1.8.0)

On Thu, Sep 28, 2017 at 01:08:17PM -0400, Robert Heller wrote:
> OK, I have narrowed things down to slapd and sssd not playing nice with each 
> other.  slapd is able to listen on ldaps (port 636) and accept SSL connections 
> (eg from openssl s_client and other applications using straight SSL).  slapd 
> will also listen on ldap (port 389), but refuses to negotiate a TLS connection 
> on port 389.  It also refuses to negotiate TLS connection on port 636.  sssd 
> seems to *insist* on negotiating a TLS connection on port 636 or port 389 and 
> won't just connect using ssl to port 636.  (At least that is what I *think* is 
> going on.)
> 
> So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, 
> or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
> 
> How the hell do I get that to happen?

Up until 6 months ago I used to work in a large RHEL based environment
using sssd->ldap for authentication.  I can suggest a few things based
on my memory.

1. IIRC, sssd doesn't look at ldap.conf, so making changes to
ldap.conf might not have any effect on sssd.  Everything has to be
config'd in sssd.conf.

2. TLS negotiation failures typically indicate a problem w/ your
certificates.  One way to confirm is to alternate setting the
'ldap_tls_reqcert' opt to 'never' and then 'hard', testing each one.
If it works with 'never' but fails with 'hard', then your cert is
likely the issue.

If both fail, there might still be a problem w/ your cert, though (if
IIRC).

3. Turn up verbosity of log output.  Set the debug opts in sssd and
slapd to produce verbose log/error messages.  This should yield
detailed info on why TLS negotiation fails.


> 
> here are my config files:
> 
> [root@c764guest heller]# cat /etc/openldap/slapd.d/cn\=config.ldif
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 ba294eab
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid
> olcTLSCACertificatePath: /etc/openldap/certs
> structuralObjectClass: olcGlobal
> entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
> creatorsName: cn=config
> createTimestamp: 20170918163057Z
> olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
> olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
> olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
> entryCSN: 20170927144348.897441Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20170927144348Z
> 
> [root@c764guest heller]# cat /etc/sssd/sssd.conf
> [domain/default]
> 
> autofs_provider = ldap
> cache_credentials = True
> ldap_search_base = dc=deepsoft,dc=com
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldaps://192.168.250.98/
> ldap_id_use_start_tls = false
> ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem
> ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com
> ldap_default_authtok = sssd
> [sssd]
> services = nss, pam, autofs
> 
> domains = default
> [nss]
> homedir_substring = /home
> 
> [pam]
> debug_level = 0x7770
> ldap_id_use_start_tls = false
> 
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [root@c764guest heller]# cat /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> BASE dc=deepsoft,dc=com
> URI ldaps://192.168.250.98/
> TLS_CACERT /etc/openldap/certs/ca-cert.pem
> TLS_CACERTDIR /etc/openldap/certs
> TLS_REQCERT demand
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> 
> 
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON    on
> TLS_REQCERT allow
> 
> 
> 
> -- 
> Robert Heller             -- 978-544-6933
> Deepwoods Software        -- Custom Software Services
> http://www.deepsoft.com/  -- Linux Administration Services
> heller@deepsoft.com       -- Webhosting Services
>                                                                                                              
>

Prev by Date: meta backend , rwm AD source , uppercase to lowercase
Next by Date: What is the current OLC way to replace the nis schema with the rfc2307bis schema?
Index(es):
- Chronological
- Thread