Robert Heller heller@deepsoft.com writes:
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
[...]
These are two differnt ports and methods to connect. On port 389 a client initiates a secured session by calling startTLS extended operation. While on port 636 the server requests a secured session. Check your init script, or systemctl service script, whether ldap:/// or ldaps:// is initiated, or both.
-Dieter