Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

[Michael Wandel <m.wandel@t-online.de>]

On 28.09.2017 21:41, Robert Heller wrote:
> Will these spit out useful error messages?  If I just get "TLS Negotiation 
> failure" it is not going to be helpful.
> 

You can make it a little bit more verbose with the option "-d -1"

It is only a suggestion, but can you test the parameter

TLS_REQCERT allow

in your /etc/openldap/ldap.conf

This ist not a good option for production systems, but it seems you come
in trouble with your certificates.

You have to set your

TLS_CACERT
xor
TLS_CACERTDIR

correctly in your /etc/openldap/slapd.conf to work stressless with your
ssl/tls.

best regards
Michael

> At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
> 
>>
>> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller 
>> <heller@deepsoft.com> wrote:
>>
>>
>>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
>>> it.   For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess
>>> something is  wrong with slapd's TLS configuration -- it is failing to do
>>> TLS Negotiation,  either it is just not doing it or it is doing it wrong
>>> (somehow).  Unless SSSD  is not configured properly.
>>
>> You need to start with the following:
>>
>>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>>
>> to test startTLS
>>
>> and
>>
>> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>>
>> to test without startTLS
>>
>> If you can get those to work, then you can move on to SSSD.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Product Architect
>> Symas Corporation
>> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>> <http://www.symas.com>
>>
>>                                                                             
> 


-- 
Michael Wandel
Braakstraße 43
33647 Bielefeld