I have actually read this post before, and it describes the problem I’m having exactly, but the purported fix does not work for me. My SSSD configuration file contains “ldap_tls_reqcert = never,” “ldap_tls_cacert = (certificate path for ca)” and “ldap_tls_cert = (certificate path for server).”

Ulrich: I actually don’t even remember what SANs or CNs are in the certificate, but it shouldn’t matter as we have reqcert set to never. Too, if I turn verification off in SSSD entirely with “certificate_verification = no_verification,” I have the exact same problem. (We really could not care less about TLS security on this particular network, but SSSD simply will not work without at least nominally connecting over TLS/SSL.)

Thanks,

Jarett

On 09.01.23 22:10, Jarett DeAngelis wrote:

> hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.

Ubuntu's libldap is linked agaings gnutls, not openssl.

Maybe you will find the solution in

https://github.com/SSSD/sssd/issues/5444

Best regards

Ulf