[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

Robert Heller <heller@deepsoft.com> writes:

R> At Thu, 28 Sep 2017 10:19:43 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
>> 
>> --On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller 
>> <heller@deepsoft.com> wrote:
>> 
>> > OK, I have narrowed things down to slapd and sssd not playing nice with
>> > each  other.  slapd is able to listen on ldaps (port 636) and accept SSL
>> > connections  (eg from openssl s_client and other applications using
>> > straight SSL).  slapd  will also listen on ldap (port 389), but refuses
>> > to negotiate a TLS connection  on port 389.  It also refuses to negotiate
>> > TLS connection on port 636.  sssd  seems to *insist* on negotiating a TLS
>> > connection on port 636 or port 389 and  won't just connect using ssl to
>> > port 636.  (At least that is what I *think* is  going on.)
>> >
>> > So, I either need to get slapd to do TLS negotiation on port 389 OR port
>> > 636,  or get sssd to NOT do TLS negotiation on port 636 and just connect
>> > with SSL.
>> 
>> You're using a bit of a confusing word soup.
>
> Well, yes... 
>
>> 
>> ldaps == Deprecated, non-standard way of securing connection to LDAP. 
>> Usually on port 636
>> startTLS == RFC standard way of securing connections to LDAP. Usually on 
>> port 389
>
>
>
>> 
>> If you are using ldaps, then you want startTLS to be disabled
>> if you are using startTLS, then you want it enabled.
>> 
>> Your SSD config has:
>> 
>> ldap_id_use_start_tls = false
>> 
>> so this would be correct with use with ldaps:///
>
> But SSSD does not work with ldaps:///...  It *wants* startTLS over ldap:///, 
> which does not *seem* to work.
>
>> 
>> You don't provide any error messages or other useful information, so one 
>> can only specualte what issues you may be having.
>
> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it.  
> For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess something is 
> wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation, 
> either it is just not doing it or it is doing it wrong (somehow).  Unless SSSD 
> is not configured properly.

>> 
>> I would note that most versions of openssl s_client do not support startTLS 
>> with LDAP (Thus you cannot use it to test port 389).  That feature was only 
>> recently added to OpenSSL.

OK, back to basics,
1. check whether sssd is compiled with openssl's libcrypto:
   ldd sssd
   which should present something like
   libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 
2. check whether slapd has been build with openssl
   ldd slapd, which should present:
   libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0
   libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 
3. verify your certificates:
   openssl verify -CAfile <file> <hostcert>
4. run slapd -h ldaps:///;
   than test connection:
   openssl s_client -connect <host:636> -CAfile <file>

-Dieter
                     
>> If you want to test startTLS on port 389, your best bet is to use an ldap 
>> client utility such as ldapwhoami, like:
>> 
>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
[...]

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E