[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

--On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller <heller@deepsoft.com> wrote: 


OK, I have narrowed things down to slapd and sssd not playing nice with
each  other.  slapd is able to listen on ldaps (port 636) and accept SSL
connections  (eg from openssl s_client and other applications using
straight SSL).  slapd  will also listen on ldap (port 389), but refuses
to negotiate a TLS connection  on port 389.  It also refuses to negotiate
TLS connection on port 636.  sssd  seems to *insist* on negotiating a TLS
connection on port 636 or port 389 and  won't just connect using ssl to
port 636.  (At least that is what I *think* is  going on.)

So, I either need to get slapd to do TLS negotiation on port 389 OR port
636,  or get sssd to NOT do TLS negotiation on port 636 and just connect
with SSL.


You're using a bit of a confusing word soup.
ldaps == Deprecated, non-standard way of securing connection to LDAP. Usually on port 636 startTLS == RFC standard way of securing connections to LDAP. Usually on port 389 

If you are using ldaps, then you want startTLS to be disabled
if you are using startTLS, then you want it enabled.

Your SSD config has:

ldap_id_use_start_tls = false

so this would be correct with use with ldaps:///
You don't provide any error messages or other useful information, so one can only specualte what issues you may be having.
I would note that most versions of openssl s_client do not support startTLS with LDAP (Thus you cannot use it to test port 389). That feature was only recently added to OpenSSL.
If you want to test startTLS on port 389, your best bet is to use an ldap client utility such as ldapwhoami, like: 

ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>