[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- From: Robert Heller <heller@deepsoft.com>
- Date: Thu, 28 Sep 2017 14:34:34 -0400 (EDT)
- Cc: Robert Heller <heller@deepsoft.com>, Openldap Technical <openldap-technical@openldap.org>
- Dkim-filter: OpenDKIM Filter v2.11.0 sharky3.deepsoft.com C52377323F2
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deepsoft.com; s=deepsoft.com; t=1506623674; bh=fDFym7opNDehx0mle/F2T/k4QAgA4/9ZukXoXTezVZU=; h=From:Subject:In-Reply-To:References:To:Cc:Date:From; b=QhjQ5LTJYcpGwbVjjNkm1eMNNMcEbV+OYklrJMlx4+W2j8YLgX8TinLFbL8TC7jdB rl7mZrdLzVG7nG0MC23evVMpUZCVBVIiuAqrFNuqstYak9e2+4dEe+a0PiQngZ2WxB c74LaTg9jetAS6LDk5A473J4XN41cTbX0CV1f8i8=
- In-reply-to: <3631C46B10C6A6D96C92A6CA@[192.168.1.30]>
- Organization: Deepwoods Software
- References: <20170928170817.DE268732A40@sharky3.deepsoft.com> <WM!3841d97ef9fe61874abde790669c89cda7491f751a8d1d42d6fedcad23ad03723369227f2cf988e1296a97f7d1455a45!@mailstronghold-2.zmailcloud.com> <3631C46B10C6A6D96C92A6CA@[192.168.1.30]>
At Thu, 28 Sep 2017 10:19:43 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
> --On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller
> <heller@deepsoft.com> wrote:
>
> > OK, I have narrowed things down to slapd and sssd not playing nice with
> > each other. slapd is able to listen on ldaps (port 636) and accept SSL
> > connections (eg from openssl s_client and other applications using
> > straight SSL). slapd will also listen on ldap (port 389), but refuses
> > to negotiate a TLS connection on port 389. It also refuses to negotiate
> > TLS connection on port 636. sssd seems to *insist* on negotiating a TLS
> > connection on port 636 or port 389 and won't just connect using ssl to
> > port 636. (At least that is what I *think* is going on.)
> >
> > So, I either need to get slapd to do TLS negotiation on port 389 OR port
> > 636, or get sssd to NOT do TLS negotiation on port 636 and just connect
> > with SSL.
>
> You're using a bit of a confusing word soup.
Well, yes...
>
> ldaps == Deprecated, non-standard way of securing connection to LDAP.
> Usually on port 636
> startTLS == RFC standard way of securing connections to LDAP. Usually on
> port 389
>
> If you are using ldaps, then you want startTLS to be disabled
> if you are using startTLS, then you want it enabled.
>
> Your SSD config has:
>
> ldap_id_use_start_tls = false
>
> so this would be correct with use with ldaps:///
But SSSD does not work with ldaps:///... It *wants* startTLS over ldap:///,
which does not *seem* to work.
>
> You don't provide any error messages or other useful information, so one
> can only specualte what issues you may be having.
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it.
For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is
wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation,
either it is just not doing it or it is doing it wrong (somehow). Unless SSSD
is not configured properly.
>
> I would note that most versions of openssl s_client do not support startTLS
> with LDAP (Thus you cannot use it to test port 389). That feature was only
> recently added to OpenSSL.
>
> If you want to test startTLS on port 389, your best bet is to use an ldap
> client utility such as ldapwhoami, like:
>
> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services